Cloudflare Access as auth method #6233
Comments
|
Vault already has a JWT auth plugin and already allows plugins to be passed request headers. It sounds like what you want may simply be a modification to the JWT auth plugin to allow the value to be read via a header instead of a POST parameter? |
|
Maybe that's an even better solution - I didn't check the SAML integration with CFA but for all the methods I tested you just get the email anyway. So maybe a PR against the JWT plugin is the way to go. |
|
From what I understood, the JWT token is only used in order to authenticate against CFA. Once authenticated/authorized, the application behind it only gets a
https://developers.cloudflare.com/access/setting-up-access/managing-user-sessions/ I am not convinced this would be sufficient in terms of security for a Vault endpoint, unfortunately :( I am also looking to implement something similar. If someone has better ideas I am all ears! |
|
Cloudflare Access does actually send the JWT and exposes endpoints for the keys. Cloudflare includes the JWT with all authenticated requests in two places, the response header The header The signing keys also have a specific endpoint to allow easy fetching. There is also a way to fetch additional group details from the SSO provider by sending the JWT to a specific endpoint. I'm not really sure if the specifics would allow it to be easily integrated with the existing JWT auth method or if something new would have to be created. https://developers.cloudflare.com/access/setting-up-access/json-web-token/ |
|
We looked into using Cloudflare Access for auth as well. Ultimately, I think this would require a separate auth plugin, but it is probably possible to do so by forking the existing JWT plugin, and make a few alterations:
Otherwise I think the core of the JWT plugin can remain the same. The OIDC code can then be stripped out as it won't be used. EDIT: I've gone and done what I've proposed above. The tests are still broken, and I've only tested it for my specific use case, but I am able to get an actual token from passing in my JWT I get after running https://github.com/Lucretius/vault-plugin-auth-cloudflare-access |
|
Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks! |
Is your feature request related to a problem? Please describe.
In the absence of IaaS vendor-integrated managed solutions for Vault I'd prefer not to deploy Vault on the Internet w/o additional protections. Using an indirection like Argo/Access with the latter taking care of the Beyond-Corp-style authentication would fit the bill (while adding CloudFlare as MiTM attack vector).
Describe the solution you'd like
Use Cloudflare Access to protect Vault from direct unauthenticated access on the Internet while authenticating users directly using the JWT request headers provided by Access. This solution would not require additional user management infrastructure. If the Argo tunnel setup would be integrated this would be an extremely simple setup to create hidden/protected Vault installations.
I have not yet explored group or additional attribute mapping options that may or may not be available by using an IdP that supports them (especially SAML).
This ticket basically asks the question if such an auth method as the one described there makes sense to the Vault maintainers or if a custom plugin (maybe integrating Argo directly, as described above) is a better fit.
The text was updated successfully, but these errors were encountered: