search

puppetlabs / vault-plugin-secrets-oauthapp

OAuth 2.0 secrets plugin for HashiCorp Vault supporting a variety of grant types
Apache License 2.0
94 stars 10 forks source link

Add support for client credentials flow for multitenant app in microsoft_azure_ad provider #50

Closed vavsab closed 3 years ago

vavsab commented 3 years ago

Use Case

I have created a multitenant app in Azure Portal. I'm using client credentials flow. Now I want to write client id and secret into Vault once and then generate tokens for different tenants.

Describe the Solution You Would Like

Perfect flow for this case

vault secrets enable -path=oauth2/azure oauthapp

vault write oauth2/azure/config provider=microsoft_azure_ad client_id=*** client_secret=*** provider_options=tenant=common

# Currently I cannot override the tenant here
vault write oauth2/azure/config/self/org1 scopes=https://graph.microsoft.com/.default provider_options=tenant=<org1_tetant_guid> 

# Currently I cannot override the tenant here
vault write oauth2/azure/config/self/org2 scopes=https://graph.microsoft.com/.default provider_options=tenant=<org2_tetant_guid> 

vault read oauth2/azure/self/org1
vault read oauth2/azure/self/org2

Describe Alternatives You've Considered

If could write into a separate path for every tenant

vault write oauth2/azure_org1/config provider=microsoft_azure_ad client_id=*** client_secret=*** provider_options=tenant=<org1_tetant_guid>

vault write oauth2/azure_org2/config provider=microsoft_azure_ad client_id=*** client_secret=*** provider_options=tenant=<org2_tetant_guid>

But then I will need to duplicate my client id and secret for every org.

Please let me know if this solution is ok for you. I could contribute if you have no time to implement this feature.

impl commented 3 years ago

This is fixed and will be part of the next release. Thanks for your help with this improvement!