sevensolutions / traefik-oidc-auth

🧩 A traefik Plugin for securing the upstream service with OpenID Connect acting as a relying party.
https://github.com/sevensolutions/traefik-oidc-auth
MIT License
10 stars 1 forks source link

Hashicorp Vault OIDC identity provider #13

Open mofr93 opened 1 week ago

mofr93 commented 1 week ago

Hi,

Hashicorp vault OIDC provider issues an opaque access_token. They recommend we use the userinfo_endpoint for introspection, because the access_token itself cannot be parsed, therefore it is not working. Is there any plans to support verification of claims etc. from the userinfo_endpoint?

sevensolutions commented 1 week ago

Hi @mofr93 you mean the token is not a JWT token?

At the beginning of this plugin i was always using the introspection endpoint but removed it because it will be called for every single endpoint, which can slow everything down...

I have already used Vault but not as an OIDC Provider. I will have a closer look on the weekend.

mofr93 commented 1 week ago

Hey @sevensolutions

Thanks for the reply.

Yes, the access_token is just an opaque token that is only used for calling the introspection endpoint in Vault, so no JWT. I see the problems with calling this endpoint everytime. Maybe it needs to have some sort of cache set up. I tried this other project that just verifies the id_token which works for me https://github.com/lukaszraczylo/traefikoidc