bluecmd
commented
1 year ago FWIW, we solved this by using OpenResty and this location stanza:
location /v1/auth/jwt/login {
default_type application/json;
access_by_lua_block {
ngx.req.read_body()
ngx.req.set_body_data('{ "role": "my-role", "jwt": "' .. ngx.req.get_headers()["x-pomerium-jwt-assertion"] .. '" }')
}
proxy_pass https://127.0.0.1:8200;
}
SoundGoof
Is your feature request related to a problem? Please describe. As an infrastructure operator, I want to provide a smooth login/SSO experience to the developers I maintain infrastructure for. To that end, I have a common identity provider (keycloak), and a common identity broker (oauth2-proxy), which communicate using OIDC and provide a common login interface/way to acquire an id_token and an access_token through a browser. The routes that point to my workloads automatically redirect to the identity broker if a token is not provided when it is required.
To that end, I'd like the Vault UI to simply accept the JWT provided by e.g. an Authorization header and automatically exchange it for a vault token without going through the UI/sign-in process. That way, my oauth2-proxy could coordinate the login process and then redirect to the vault UI with a valid login token for e.g. JWT auth.
Note that this feature actually already exists but only for pre-wrapped vault tokens. By providing ?wrapped_token=<...> to the vault UI root route query parameter, you can skip the sign-in process. This feature would simply extend this to provide tokens other than a vault token. I could also write a proxy that authenticates with the provided JWT and then forwards with a wrapped_token.
Describe the solution you'd like Provide an Authorization header to vault UI requests that vault UI can automatically use for auth on the first request.
Describe alternatives you've considered Making a proxy that acts as a middle man and does this for me.
Explain any additional use-cases Any use case with a common login gateway.