Skip to content
Branch: master
Find file History
Latest commit f4c5236 Apr 2, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
img Added oidc-auth guide Apr 2, 2019
README.md

README.md

Vault OpenID Demo

Vault 1.1.0 introduced OIDC Redirect Flow Support, allowing authentication using browser. In this repository we describe the steps to integrate this feature to authenticate with Vault using a Gmail address.

alt text

Requirements

  • Vault server with a "demo" ACL policy
  • A domain name for Vault
  • Google account

Configure Vault Domain

You can use any registrar, no specific requirements. If you decide to use AWS Route53:

  1. Log in to AWS, go to Route53
  2. Create a Hosted Zone if none exist
  3. Click on existing Hosted Zone
  4. Click Create Record Set
  5. Enter a name and update the IP value, as shown here:

alt text

  1. Throughout this repo, assume that "YOUR_VAULT_ADDR" is this address, example:
YOUR_VAULT_ADDR=http://stenio.vault.hashidemos.io:8200

Configure Google

  1. Go to https://console.developers.google.com/apis/credentials/, log in if needed
  2. Click "Create credentials > OAuth ClientID"
  3. Select "Web application", give it a name
  4. On "Authorized redirect URLs", enter "http://YOUR_VAULT_ADDR//ui/vault/auth/oidc/oidc/callback"
  5. Press Save
  6. In the next step you will use the Client ID and the Client Secret when configuring Vault

Configure Vault

  1. Enable oidc auth and configure it with the Google client information:
vault auth enable oidc

vault write auth/oidc/config \
    oidc_discovery_url="https://accounts.google.com" \
    oidc_client_id="YOUR_GOOGLE_API_CLIENT_ID", \
    oidc_client_secret="YOUR_GOOGLE_API_CLIENT_SECRET", \
    default_role="gmail"

  1. Create a role to use for authentication. You can be as restrictive as desired by using the different "bound" fields. These allow you to specify values that need to be present from Google in order to allow authentication. Here documentation on claims and values sent by Google, here information on the bound fields.
vault write auth/oidc/role/gmail \
    user_claim="sub" \
    bound_audiences=[YOUR_GOOGLE_API_CLIENT_ID] \
    allowed_redirect_uris=[http://YOUR_VAULT_ADDR//ui/vault/auth/oidc/oidc/callback] \
    policies=demo \
    ttl=1h

Login

  1. Go to Vault UI
  2. Select "OIDC auth"
  3. Enter the role you want to log in to Vault with. In this example we only have one role, but multiple can be created and associated with different claims and bounds as needed.
  4. Log in!
You can’t perform that action at this time.