search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.53k stars 4.14k forks source link

Cloudflare Access as auth method #6233

Open yawn opened 5 years ago

yawn commented 5 years ago

Is your feature request related to a problem? Please describe.

In the absence of IaaS vendor-integrated managed solutions for Vault I'd prefer not to deploy Vault on the Internet w/o additional protections. Using an indirection like Argo/Access with the latter taking care of the Beyond-Corp-style authentication would fit the bill (while adding CloudFlare as MiTM attack vector).

Describe the solution you'd like

Use Cloudflare Access to protect Vault from direct unauthenticated access on the Internet while authenticating users directly using the JWT request headers provided by Access. This solution would not require additional user management infrastructure. If the Argo tunnel setup would be integrated this would be an extremely simple setup to create hidden/protected Vault installations.

I have not yet explored group or additional attribute mapping options that may or may not be available by using an IdP that supports them (especially SAML).

This ticket basically asks the question if such an auth method as the one described there makes sense to the Vault maintainers or if a custom plugin (maybe integrating Argo directly, as described above) is a better fit.

jefferai commented 5 years ago

Vault already has a JWT auth plugin and already allows plugins to be passed request headers. It sounds like what you want may simply be a modification to the JWT auth plugin to allow the value to be read via a header instead of a POST parameter?

yawn commented 5 years ago

Maybe that's an even better solution - I didn't check the SAML integration with CFA but for all the methods I tested you just get the email anyway. So maybe a PR against the JWT plugin is the way to go.

mvisonneau commented 4 years ago

From what I understood, the JWT token is only used in order to authenticate against CFA. Once authenticated/authorized, the application behind it only gets a Cf-Access-Authenticated-User-Email: user@example.com header and as they say:

This allows you to identify the user who has currently logged in. It is critical to ensure that only Cloudflare can send requests to your origin if you rely on this header.

https://developers.cloudflare.com/access/setting-up-access/managing-user-sessions/

I am not convinced this would be sufficient in terms of security for a Vault endpoint, unfortunately :( I am also looking to implement something similar. If someone has better ideas I am all ears!

aditsachde commented 4 years ago

Cloudflare Access does actually send the JWT and exposes endpoints for the keys. Cloudflare includes the JWT with all authenticated requests in two places, the response header Cf-Access-Jwt-Assertion and the cookie CF_Authorization The JWT could be taken from the header without having to worry about cookies.

The header Cf-Access-Authenticated-User-Email is just a shortcut/easier way to get the email, but they do say do not depend on it without validating the JWT. The email is also in the JWT.

The signing keys also have a specific endpoint to allow easy fetching. There is also a way to fetch additional group details from the SSO provider by sending the JWT to a specific endpoint.

I'm not really sure if the specifics would allow it to be easily integrated with the existing JWT auth method or if something new would have to be created.

https://developers.cloudflare.com/access/setting-up-access/json-web-token/ https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/

Lucretius commented 4 years ago

We looked into using Cloudflare Access for auth as well.

Ultimately, I think this would require a separate auth plugin, but it is probably possible to do so by forking the existing JWT plugin, and make a few alterations:

1) The actual login method will probably just use the Go code snippet provided by Cloudflare here along with the user/group claim validations already done by the JWT plugin. The login method will need to call the special Cloudflare endpoint to get the group claims.

2) The JWT config would need to be altered to require those additional properties required to make the above login call (audience tag for the application, and Cloudflare access domain), and probably remove the other JWT properties (like jwk_url) because the handling logic for Cloudflare is very specific.

Otherwise I think the core of the JWT plugin can remain the same. The OIDC code can then be stripped out as it won't be used.

EDIT: I've gone and done what I've proposed above. The tests are still broken, and I've only tested it for my specific use case, but I am able to get an actual token from passing in my JWT I get after running cloudflared access token -app=<my_cloudflare_app_domain>. It doesn't have the niceties of the OIDC flow thats baked into the UI and you have to log in using the token generated after running login via the CLI. The code verifies the JWT and retrieves the group claims as well - so you can map to Vault groups for access (maps to the IDs of the groups).

https://github.com/Lucretius/vault-plugin-auth-cloudflare-access

hsimon-hashicorp commented 4 months ago

Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!