Allow Identity Engine to sign x509s in addition to letting users export public keys

[junhyun-shim]

Is your feature request related to a problem? Please describe.
Hi Vault developers! We have a backend system with its own auth domain that needs to support multiple technical users, which we intend to create automatically when the system is first brought up. We'd like these technical users to use Vault's Identity Engine as external IDP, as the backend system natively supports RS256-JWT authentication, as long as the administrator binds each user to an IDP object (native to the backend system) with a x509 certificate.

Unfortunately, Vault documentation on Identity Engine seems to suggest that the users only get to export JWK public keys for token validation purposes, which is one feature short of exactly what we need. (I'd really like to be proven wrong here)

Describe the solution you'd like
We'd like something akin to a CSR server: e.g. /v1/identity/oidc/certs API, where we could POST the necessary fields similar to how you would fill out a CSR and the Identity Engine could give back an x509 signed with its own private key, which it also uses to sign JWTs.

Describe alternatives you've considered
Any other workarounds applicable to the backend system would require a non-trivial code change that only applies to this purpose and likely won't see much use otherwise, which we'd rather avoid.

[Fargrath]

Hi, I'm a fellow colleague of the reporter. I adapted the identity store's key/token handling so that it will generate the certificate (and an additional token header field) that we would need for our backend system to work with it.

Feedback would be greatly appreciated. Especially regarding the certificate template.