Open pbhalera opened 3 years ago
I agree. It seems that many parameters are missing. According the the documentation, https://developer.hashicorp.com/vault/api-docs/auth/jwt#configure we can configure a jwt auth backend with one (and only one) of
When not using oidc_discovery_url, we need a way to provide all the needfull urls. I don't see how it could work right now although for now i'm stuck because of another issue when trying to configure oidc with jwks_url
instead of oidc_discovery_url
(https://github.com/hashicorp/vault-plugin-auth-jwt/issues/272)
Here's what a manual oidc configuration looks like when connecting from kibana to keycloak for example (it's with read only rest) :
buttonName: "..."
type: "oidc"
issuer: "..."
authorizationURL: "..."
tokenURL: '...'
userInfoURL: '...'
jwksURL: '...'
clientID: '...'
clientSecret: "..."
scope: '...'
usernameParameter: '...'
groupsParameter: "..."
protocol: '...'
kibanaExternalHost: "..."
logoutUrl: "..."
We need at least:
Field name suggestion | Field name in well-known url | Comment |
---|---|---|
issuer | issuer | Missing. Could be skipped if same as boundIssuer but right now it doesn't seem to be the case: vault seems to have a separate entity for issuer field than what is configured as bound_issuer . See https://discuss.hashicorp.com/t/unable-to-create-provider-oidc-issuer-did-not-match-the-issuer-returned-by-provider-with-keycloak-idp/61851 |
authorization_endpoint | authorization_endpoint | Missing |
token_endpoint | token_endpoint | Missing |
jwks_url | jwks_uri | OK |
oidc_client_id | - | OK but should be allowed when jwks_url is present. see https://github.com/hashicorp/vault-plugin-auth-jwt/issues/272 ) |
oidc_client_secret | - | OK |
end_session_endpoint | end_session_endpoint | Missing |
userinfo_endpoint | userinfo_endpoint | Missing. Would be a must have (it's an optional endpoint in openid connect standard) |
Oidc workflow reminder (vault is the relying party)
While configuring OIDC provider i encounter that provider it doesnt expose /.well-known/openid-configuration endpoint. But it has all Authorization endpoint ,Token endpoint and Userinfo endpoint. But current implementation doesn't support it.
Can you please support to overwrite these endpoint in vault auth configuration