# Vault PoV - Identity Engine

## Authenticate your services with Vault and JWTs

You may want your services to be able to talk to each other in an authenticated manner, and even perform some authorization. This is not easy to do and you might have scratched your head a bunch about how to do it. This lab is going to show you how to do something like this using hashicorp’s Vault. At the end of this lab you’ll be able to issue and validate authorization tokens to make sure your services communicate in an authenticated and secure manner.

## What are JWTs ?

JWT, or JSON Web Tokens, are tokens that are signed by a central authority that encapsulate authorization information. This [website](https://jwt.io/#debugger) can help debug/decode your tokens.

A JWT consists of 3 parts separated by dots "`.`".

* Header
* Payload
* Signature

A JWT looks like this:
`xxx.yyy.zzz`

* The "**header**" gives you info about:
    * the algorithm used,
    * the key id used to sign the token and so on.
* The "**payload**" is the actual encoded auth data that you care about
* The "**signature**" is used to validate the token.

## Setup

### Start Vault Enterprise (if one does not exist)

In [1]:
docker run --rm -itd \
    --name vault \
    -p 8200:8200 \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
    -e "VAULT_ADDR=http://127.0.0.1:8200" \
    hashicorp/vault-enterprise

8842461be37c320967d0254de54bf3ccc5b2938e798914e1ec74f8783210c54b
[?2004h

: 1

Save the unseal key(s) and root token.

In [2]:
UNSEAL_1=$(docker logs vault | grep "Unseal Key" | awk '{print $NF}')
VAULT_TOKEN_ROOT=$(docker logs vault | grep "Root Token" | awk '{print $NF}')
echo Unseal Key: $UNSEAL_1
echo Root Token: $VAULT_TOKEN_ROOT

Unseal Key: 6YNdfQvvOy6AOLzdwEMeFTYn+u/K6JNRDUZ/TmZZ420=[0m
Root Token: root[0m
[?2004h

: 1

### Set environment variables

Change address and token as appropriate.

In [36]:
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="root"
export VAULT_SKIP_VERIFY=true
#VAULT_TLS_SERVER_NAME=

[?2004h[?2004l[?2004l[?2004l

: 1

Set fancy colors for standard output.

In [4]:
export RED="\e[0;31m"
export YELLOW="\e[0;33m"
export BLDYELLOW="\e[1;33m"
export GREEN="\e[0;32m"
export CYAN="\e[0;36m"
export BLUE="\e[0;34m"
export WHITE="\e[0;37m"
export BLDWHITE="\e[1;37m"
export NC="\e[0m"

[?2004h[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l

: 1

In [None]:
# vault login root
# vault version

### Make sure vault is initialized and unsealed

In [5]:
vault status

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.7.2+ent
Storage Type    inmem
Cluster Name    vault-cluster-fc125d8a
Cluster ID      d0e1376b-d114-e94a-5831-db1860ba7732
HA Enabled      false[0m
[?2004h

: 1

### (optional) Create admin/dev namespace

In [6]:
printf "${GREEN}# Create dev namespace${NC}\n"
vault namespace create admin

printf "${GREEN}# Create admin/dev namespace${NC}\n"
export VAULT_NAMESPACE=admin
vault namespace create dev

printf "${GREEN}# Manage namespace admin/dev${NC}\n"
export VAULT_NAMESPACE=admin/dev

[0;32m# Create dev namespace[0m
[0mKey     Value
---     -----
id      j9puP
path    admin/[0m
[0;32m# Create admin/dev namespace[0m
[0mKey     Value[?2004l
---     -----
id      5nWoM
path    admin/dev/[0m
[0;32m# Manage namespace admin/dev[0m
[?2004h[?2004l

: 1

**NOTE:** The rest of this deployment will be in the `admin/dev` namespace.

## Enable the userpass auth method

In [8]:
vault auth enable userpass || true
vault auth list

[91mError enabling userpass auth: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/auth/userpass
Code: 400. Errors:

* path is already in use at userpass/[0m
[0mPath         Type        Accessor                  Description
----         ----        --------                  -----------
token/       ns_token    auth_ns_token_d1c78e92    token based credentials
userpass/    userpass    auth_userpass_05e6a03a    n/a[0m
[?2004h

: 1

## Write the Ops Team and App Team KV policies (NEEDS EDITING)

We will need to create a policy (`ops-team` and `app-team`) to allow the account (that we will create right after) to perform some basic operations on Vault.

In [37]:
printf "${GREEN}Create policy file for ops.${NC}\n"
vault policy write ops-team - <<EOF
path "identity/oidc/token/*" {
  capabilities = ["list", "read", "create", "update"]
}

path "identity/oidc/introspect" {
  capabilities = ["list", "read", "create", "update"]
}

path "identity/oidc/key/*" {
  capabilities = ["list", "read", "create", "update"]
}
EOF

echo
printf "${GREEN}Create policy file for app team.${NC}\n"
vault policy write app-team - <<EOF
path "identity/oidc/token/*" {
#   capabilities = ["list", "read", "create", "update"]
  capabilities = ["read"]

}

path "identity/oidc/introspect" {
#   capabilities = ["list", "read", "create", "update"]
  capabilities = ["read", "update"]
}
EOF

[0;32mCreate policy file for ops.[0m
[0mSuccess! Uploaded policy: ops-team[0m?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l
[?2004h[?2004l[?2004l
[0;32mCreate policy file for app team.[0m
[0mSuccess! Uploaded policy: app-team[0m?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l
[?2004h

: 1

You should lock down your policies. This policy is over-permissive.

### Confirm policies

In [13]:
printf "${GREEN}Read ops-team policy.\n${NC}"
vault policy read ops-team
echo
printf "${GREEN}Read app-team policy.\n${NC}"
vault policy read app-team

[0;32mRead ops-team policy.
[0mpath "identity/oidc/token/*" {
  capabilities = ["list", "read", "create", "update"]
}

path "identity/oidc/introspect" {
  capabilities = ["list", "read", "create", "update"]
}

path "identity/oidc/key/*" {
  capabilities = ["list", "read", "create", "update"]
}[0m
[?2004h[?2004l
[0;32mRead app-team policy.
[0mpath "identity/oidc/token/*" {
#   capabilities = ["list", "read", "create", "update"]
  capabilities = ["read"]

}

path "identity/oidc/introspect" {
#   capabilities = ["list", "read", "create", "update"]
  capabilities = ["read"]
}[0m
[?2004h

: 1

## Create Userpass users

In [14]:
printf "${GREEN}Create ops user.\n${NC}"
vault write auth/userpass/users/ops-1 password=ops-1 policies=ops-team
printf "${GREEN}Create app user.\n${NC}"
vault write auth/userpass/users/app-1 password=app-1 policies=app-team

[0;32mCreate ops user.
[0mSuccess! Data written to: auth/userpass/users/ops-1[0m
[0;32mCreate app user.
[0mSuccess! Data written to: auth/userpass/users/app-1[0m
[?2004h

: 1

## Create the OIDC issuer - Write the configuration for the Identity Tokens Backend

Configure the Identity Tokens Backend for OIDC-compliant identity tokens issued by Vault.

In [15]:
vault write identity/oidc/config issuer="${VAULT_ADDR}"

[0m
[93m  * If "issuer" is set explicitly, all tokens must be validated against that
  address, including those issued by secondary clusters. Setting issuer to
  "" will restore the default behavior of using the cluster's api_addr as the
  issuer.[0m
[93m[0m
[?2004h

: 1

`issuer` will be used to populate the `issuer` field of your tokens. If `issuer` is not set, Vault's `api_addr` will be used.

Read the configuration for Identity Tokens Backend to confirm your settings.

In [16]:
vault read -format=json identity/oidc/config | jq -r .data

[1;39m{
  [0m[34;1m"issuer"[0m[1;39m: [0m[0;32m"http://127.0.0.1:8200"[0m[1;39m
[1;39m}[0m
[?2004h

: 1

## Create Vault roles

Create two `role`'s in Vault, which will map to the apps you want to authenticate against. In this example we will assume that our app is called `role-001` and `role-002`.

**NOTE**: ID tokens are **generated** against a role and **signed** against a named key.

### Create template for generating tokens.

Define Claims in `token_template.json`: https://www.vaultproject.io/docs/secrets/identity#token-contents-and-templates

In [17]:
mkdir -p config/vault
printf "${GREEN}#--> Create the template to use for generating tokens.${NC}\n"
cat <<"EOF" > config/vault/token_template.json
{
    "entity_id": {{identity.entity.id}},
    "entity_name": {{identity.entity.name}},
    "groups": {{identity.entity.groups.names}},
    "metadata": {{identity.entity.metadata}}
}
EOF
cat config/vault/token_template.json

[0;32m#--> Create the template to use for generating tokens.[0m
{[?2004h[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l
    "entity_id": {{identity.entity.id}},
    "entity_name": {{identity.entity.name}},
    "groups": {{identity.entity.groups.names}},
    "metadata": {{identity.entity.metadata}}
}
[?2004h

: 1

In [18]:
vault write identity/oidc/role/role-ops \
    key="named-key-ops-1" ttl="12h" \
    template=@config/vault/token_template.json
vault write identity/oidc/role/role-app \
    key="named-key-app-1" ttl="12h" \
    template=@config/vault/token_template.json

[0mSuccess! Data written to: identity/oidc/role/role-ops[0m
[0mSuccess! Data written to: identity/oidc/role/role-app[0m
[?2004h

: 1

* `template` - The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
* `ttl` - TTL of the tokens generated against the role. Can be specified as a number of seconds or as a time string like "30m" or "6h".

### Read the Roles

In [19]:
printf "${GREEN}Read role - role-ops.\n${NC}"
vault read identity/oidc/role/role-ops
echo
printf "${GREEN}Read role - role-app.\n${NC}"
vault read identity/oidc/role/role-app

[0;32mRead role - role-ops.
[0mKey          Value
---          -----
client_id    xAl4jdzbQvUugaIJC6ROcR2FnZ
key          named-key-ops-1
template     {
    "entity_id": {{identity.entity.id}},
    "entity_name": {{identity.entity.name}},
    "groups": {{identity.entity.groups.names}},
    "metadata": {{identity.entity.metadata}}
}
ttl          12h[0m
[?2004h[?2004l
[0;32mRead role - role-app.
[0mKey          Value
---          -----
client_id    fdYq8KOVcATVNWrwSWBjP9iU2W
key          named-key-app-1
template     {
    "entity_id": {{identity.entity.id}},
    "entity_name": {{identity.entity.name}},
    "groups": {{identity.entity.groups.names}},
    "metadata": {{identity.entity.metadata}}
}
ttl          12h[0m
[?2004h

: 1

### Get the Role IDs

In [20]:
ROLE_1_CLIENT_ID=$(vault read -format=json identity/oidc/role/role-ops | jq -r .data.client_id)
ROLE_2_CLIENT_ID=$(vault read -format=json identity/oidc/role/role-app | jq -r .data.client_id)

[?2004h[?2004l

: 1

In [21]:
#optional
echo $ROLE_1_CLIENT_ID
echo $ROLE_2_CLIENT_ID

xAl4jdzbQvUugaIJC6ROcR2FnZ
fdYq8KOVcATVNWrwSWBjP9iU2W
[?2004h

: 1

## Create named keys

Create two [named keys](https://www.vaultproject.io/api/secret/identity/tokens.html#create-a-named-key). The associated role uses the key to sign tokens. `allowed_client_ids` define the roles allowed to use the keys.

In [22]:
vault write identity/oidc/key/named-key-ops-1 \
    rotation_period="10m" verification_ttl="30m" allowed_client_ids=$ROLE_1_CLIENT_ID

vault write identity/oidc/key/named-key-app-1 \
    rotation_period="10m" verification_ttl="30m" allowed_client_ids=$ROLE_2_CLIENT_ID

[0mSuccess! Data written to: identity/oidc/key/named-key-ops-1[0m
[0mSuccess! Data written to: identity/oidc/key/named-key-app-1[0m
[?2004h

: 1

Now we have keys that will sign our tokens.

**NOTE**: In a production environment you will need to have a key per environment (dev/staging/prod and so on) and will need to individually allow client ID (which we talk about later) to be signed by your key.

### Read the named keys

Query a named key and returns its configurations.

In [25]:
printf "${GREEN}Query named-key-ops-1.${NC}\n"
vault read identity/oidc/key/named-key-ops-1
echo
printf "${GREEN}Query named-key-app-1.${NC}\n"
vault read identity/oidc/key/named-key-app-1

[0;32mQuery named-key-ops-1.[0m
[0mKey                   Value
---                   -----
algorithm             RS256
allowed_client_ids    [xAl4jdzbQvUugaIJC6ROcR2FnZ]
rotation_period       10m
verification_ttl      30m[0m
[?2004h[?2004l
[0;32mQuery named-key-app-1.[0m
[0mKey                   Value
---                   -----
algorithm             RS256
allowed_client_ids    [fdYq8KOVcATVNWrwSWBjP9iU2W]
rotation_period       10m
verification_ttl      30m[0m
[?2004h

: 1

### List All Named Keys

List all named keys.

In [26]:
vault list identity/oidc/key

[0mKeys
----
named-key-app-1
named-key-ops-1[0m
[?2004h

: 1

## (optional) AppRole - SKIP FOR NOW - NOT READY YET

### Create the AppRole

An [AppRole](https://www.vaultproject.io/docs/auth/approle.html) is a Vault authentication backend. You can see it as something similar to a username/password authentication, but intended for services instead of actual human users.

Enable the approle authentication backend:

In [None]:
vault auth enable approle

Create the actual `approle`, it will be called `demo-approle`:

In [None]:
vault write auth/approle/role/demo-approle role_name=demo-approle policies=readonly
vault write auth/approle/role/ops-1 role_name=ops-1 policies=ops-team
vault write auth/approle/role/app-1 role_name=app-1 policies=app-team

Then you will need to get two pieces of information, the `roleid` and the `secretid` for the approle. These are the equivalent of the username and the password to authenticate yourself.

In [None]:
ops_secret_id=$(vault write -force -format=json auth/approle/role/ops-1/secret-id | jq -r .data.secret_id)
ops_role_id=$(vault read -format=json auth/approle/role/ops-1/role-id | jq -r .data.role_id)
echo $ops_role_id $ops_secret_id

app_secret_id=$(vault write -force -format=json auth/approle/role/app-1/secret-id | jq -r .data.secret_id)
app_role_id=$(vault read -format=json auth/approle/role/app-1/role-id | jq -r .data.role_id)
echo $app_role_id $app_secret_id

Sample Output

`ca9f0470-8d1f-4464-2635-25f02b9407d7 f91a7c31-dc06-2b24-20fd-e9f5867c32a8`

Your values will be different.

### Create the entity and map it to the AppRole

Now that we have created the approle, we need to map it to an internal Vault `entity`, you need to do that because several entities can be mapped to various authentication backends, like `userpass` or if you use something like Google or what not. So first, create the `entity` and save it for later:

In [None]:
ops_entity_id=$(vault write -format=json identity/entity name=ops | jq .data.id -r)
echo $ops_entity_id
app_entity_id=$(vault write -format=json identity/entity name=app | jq .data.id -r)
echo $app_entity_id

NOTE: Running this command twice will not work. There is not output after the first time.

You should see something like this:

`c957656f-0872-766c-3517-83b787672f84`

#### Entity Alias

Now you finally need to create an `entity alias` to make the link between the `entity` and the `approle` authentication backend (that is tedious I know but bear with me i swear it is worth it). Retrieve the `accessor`, which is the internal Vault reference to your approle authentication backend:

In [None]:
accessor=$(vault auth list -format=json | grep 'auth_approle' | tr -d " " | tr -d , | cut -d ":" -f 2 | tr -d \")
echo $accessor
vault auth list -format=json | grep 'auth_approle' | tr -d " " | tr -d ,

Sample Output:

`auth_approle_91098819`

Then, create the alias:

In [None]:
vault write identity/entity-alias name=ops-1 canonical_id=$ops_entity_id mount_accessor=$accessor
vault write identity/entity-alias name=app-1 canonical_id=$app_entity_id mount_accessor=$accessor

Sample Output

```
Key             Value
---             -----
canonical_id    c957656f-0872-766c-3517-83b787672f84
id              a2d067d6-229b-6580-d714-35a01ba62864
```

Everything is setup now.

### Log in as the AppRole

In [None]:
# ops-1_token=$(vault write -format=json auth/approle/login role_id=$role_id secret_id=$secret_id | jq -r .auth.client_token)
# export VAULT_TOKEN=$ops-1_token
ops_1_token=$(vault write -format=json auth/approle/login role_id=$ops_role_id secret_id=$ops_secret_id | jq -r ".auth.client_token")
export VAULT_TOKEN=$ops_1_token
echo $ops_1_token

You are now logged into Vault as your approle! Check it by running:

In [None]:
vault token lookup

Sample output

```
Key                 Value
---                 -----
accessor            Tc6riT70kLnepiW3CC0rEkBj
creation_time       1579287446
creation_ttl        768h
display_name        approle
entity_id           f1be740b-8b4f-4369-a019-bc6ef3f8e963
expire_time         2020-02-18T18:57:26.707866969Z
explicit_max_ttl    0s
id                  s.ohsNR1DIo6sVr8gG8hsRsk1Y
issue_time          2020-01-17T18:57:26.707866723Z
meta                map[role_name:demo-approle]
num_uses            0
orphan              true
path                auth/approle/login
policies            [default readonly]
renewable           true
ttl                 767h58m57s
type                service
```

## Sign in as the Ops user

In [38]:
printf "${YELLOW}Sign in as ops user and set VAULT_TOKEN.${NC}\n"
token=$(vault login -format=json -method=userpass username=ops-1 password=ops-1 | jq -r .auth.client_token)
export VAULT_TOKEN=$token
echo $VAULT_TOKEN

[0;33mSign in as ops user and set VAULT_TOKEN.[0m
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.

s.oPqZIgZKuJSNfDS2RdzEvhbm.5nWoM
[?2004h

: 1

You are now logged into Vault as the `ops` user!

Confirm your policies and namespace:

In [28]:
vault token lookup

[0mKey                 Value
---                 -----
accessor            pO5uIYlxK3P7q6LEUwuusTz2.5nWoM
creation_time       1623194398
creation_ttl        768h
display_name        admin-dev-auth-userpass-ops-1
entity_id           76a36f0e-4b0d-2e09-203b-847b6e28beea
expire_time         2021-07-10T23:19:58.2957166Z
explicit_max_ttl    0s
id                  s.q0qeBskK7SY7BVeLhnaFXT9W.5nWoM
issue_time          2021-06-08T23:19:58.2957326Z
meta                map[username:ops-1]
namespace_path      admin/dev/
num_uses            0
orphan              true
path                auth/userpass/login/ops-1
policies            [default ops-team]
renewable           true
ttl                 767h59m56s
type                service[0m
[?2004h

: 1

## Generate a signed (OIDC) token

Generate a signed ID (OIDC) token. `role-001` is the name of the role against which to generate a signed ID token

In [29]:
#vault read identity/oidc/token/role-001
printf "${GREEN}Set client id and token.${NC}\n"
TOKEN_DATA=$(vault read -format=json identity/oidc/token/role-ops)
echo $TOKEN_DATA | jq -r .data
CLIENT_ID=$(echo $TOKEN_DATA | jq -r .data.client_id)
ID_TOKEN=$(echo $TOKEN_DATA | jq -r .data.token)

[0;32mSet client id and token.[0m
[1;39m{[?2004l[?2004l
  [0m[34;1m"client_id"[0m[1;39m: [0m[0;32m"xAl4jdzbQvUugaIJC6ROcR2FnZ"[0m[1;39m,
  [0m[34;1m"token"[0m[1;39m: [0m[0;32m"eyJhbGciOiJSUzI1NiIsImtpZCI6IjEzMzEyNDQ2LTYyOTctY2I0Yi04Y2FhLWM2MjdkYTdkNDAwNyJ9.eyJhdWQiOiJ4QWw0amR6YlF2VXVnYUlKQzZST2NSMkZuWiIsImVudGl0eV9pZCI6Ijc2YTM2ZjBlLTRiMGQtMmUwOS0yMDNiLTg0N2I2ZTI4YmVlYSIsImVudGl0eV9uYW1lIjoiZW50aXR5XzYxMWQzYmQxIiwiZXhwIjoxNjIzMjM3NjQwLCJncm91cHMiOm51bGwsImlhdCI6MTYyMzE5NDQ0MCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2FkbWluL2Rldi9pZGVudGl0eS9vaWRjIiwibWV0YWRhdGEiOnt9LCJuYW1lc3BhY2UiOiI1bldvTSIsInN1YiI6Ijc2YTM2ZjBlLTRiMGQtMmUwOS0yMDNiLTg0N2I2ZTI4YmVlYSJ9.keiiJtajxU_ZWWkurgVxU9Y1-PGNgBwpHaHT91wkAzpKVATTxeuJpNWsVyZgR5F6LlTwu_Wg6_KCyZ7ROMIlenILAVxStB5tED07zmUHuRxL9NZdERb1sNtb42OVxJ-x59UH7nNPMFiTtc4yfwD3K8UknoP4I8oDNXyJUWS2d6ssd2rUcxg75Dq1SafAo9aRHZ4Xl3BBRJWb8go0ayqThiIlOQtG2eDHH9xzVFxvJHcTcAbTmOzw-W3VODeIgoefOGFE7oRAfVsXibm7JENqvYRjOis1Y7_n5_Aln51YWOTqLoZeyFLyKcvni4kP9nH

: 1

You can now use this token to identify to a service !

## Sign in as the App user

In [39]:
export VAULT_TOKEN=$(vault login -format=json -method=userpass username=app-1 password=app-1 \
| jq -r .auth.client_token)

printf "${YELLOW}DEBUG - View VAULT_TOKEN.${NC}\n"
echo $VAULT_TOKEN

over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.

[0;33mDEBUG - View VAULT_TOKEN.[0m
s.xzBHvg5jROExRbpItWx97TIz.5nWoM
[?2004h

: 1

You are now logged into Vault as the `app` user!

Confirm your policies and namespace:

In [31]:
vault token lookup

[0mKey                 Value
---                 -----
accessor            WipNHyE8hdszMFNJoJh7NOuY.5nWoM
creation_time       1623194450
creation_ttl        768h
display_name        admin-dev-auth-userpass-app-1
entity_id           248793fc-4144-ceaf-c097-7bb7dd3906bd
expire_time         2021-07-10T23:20:50.3478345Z
explicit_max_ttl    0s
id                  s.0Gk2GlANRf7mdK5oS9mWiBMg.5nWoM
issue_time          2021-06-08T23:20:50.3478521Z
meta                map[username:app-1]
namespace_path      admin/dev/
num_uses            0
orphan              true
path                auth/userpass/login/app-1
policies            [app-team default]
renewable           true
ttl                 767h59m55s
type                service[0m
[?2004h

: 1

## Get the key id from the JWT

Let’s unpack the token a bit using the [debugger](https://jwt.io/#debugger) or `jwt` cli tool.

### optional - install jwt cli tool

In [None]:
#optional
# brew tap mike-engel/jwt-cli                    
# brew install jwt-cli

### jwt decode

In [32]:
echo $TOKEN_DATA | jq -r .data.token | jwt decode -

[?2004l
[1mToken header
------------(B[m
{
  "alg": "RS256",
  "kid": "13312446-6297-cb4b-8caa-c627da7d4007"
}

[1mToken claims
------------(B[m
{
  "aud": "xAl4jdzbQvUugaIJC6ROcR2FnZ",
  "entity_id": "76a36f0e-4b0d-2e09-203b-847b6e28beea",
  "entity_name": "entity_611d3bd1",
  "exp": 1623237640,
  "groups": null,
  "iat": 1623194440,
  "iss": "http://127.0.0.1:8200/v1/admin/dev/identity/oidc",
  "metadata": {},
  "namespace": "5nWoM",
  "sub": "76a36f0e-4b0d-2e09-203b-847b6e28beea"
}
[?2004h

: 1

The "**header**" specifies the signature algorithm (`alg`) used and the key id (`kid`) used to sign the token. We will look at this `kid` value in the Well Known keys section.

```
Token header
------------(B
{
  "alg": "RS256",
  "kid": "64d94750-6ccc-cf98-e26a-455d57f42b14"
}
```

The "**body**" of the token reads the following:

```
Token claims
------------(B
{
  "aud": "gp6ydLvnWZuxPGXYQt673q5XmX",
  "entity_id": "dcde86df-8c01-1dfb-2289-70e63e2c72a6",
  "entity_name": "entity_bbe2033e",
  "exp": 1622889270,
  "iat": 1622846070,
  "iss": "http://localhost:8200/v1/identity/oidc",
  "namespace": "root",
  "sub": "dcde86df-8c01-1dfb-2289-70e63e2c72a6"
}
```

Here you have a bunch of information about the identity of the token bearer:

* `exp` is the expiration time of the token
* `iat` is the issuance time
* `iss` is the issuer
* `aud` is the intended audience of the token, namely the `demo` OIDC role you created above
* `sub` is the `subject` of the token, namely the identity of the bearer. **NOTE**: This is the same UUID as the one referenced in the `entity_id` field of the `vault token lookup` command.

**NOTE: You can now identify who’s token you are looking at!**

You can also add more custom fields, such as group membership and other arbitrary things. More info on that [here](https://www.vaultproject.io/docs/secrets/identity/index.html#token-contents-and-templates).

## Verify the token

Now you need to be able to verify the tokens.

You need to be able to verify the signature of the token to establish that the token:

* Comes from whom it says it comes from
* Is signed by a key owned by whom it says it comes from

Vault exposes an unauthenticated endpoint that allows you to retrieve the public part of the signing keys used for the tokens, which you can access the following way

In [33]:
printf "${GREEN}Create verify.json payload for introspection/validation${NC}\n"
cat <<EOF > config/vault/verify.json
{
    "token": "${ID_TOKEN}"
}
EOF
cat config/vault/verify.json

[0;32mCreate verify.json payload for introspection/validation[0m
{[?2004h[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l
    "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEzMzEyNDQ2LTYyOTctY2I0Yi04Y2FhLWM2MjdkYTdkNDAwNyJ9.eyJhdWQiOiJ4QWw0amR6YlF2VXVnYUlKQzZST2NSMkZuWiIsImVudGl0eV9pZCI6Ijc2YTM2ZjBlLTRiMGQtMmUwOS0yMDNiLTg0N2I2ZTI4YmVlYSIsImVudGl0eV9uYW1lIjoiZW50aXR5XzYxMWQzYmQxIiwiZXhwIjoxNjIzMjM3NjQwLCJncm91cHMiOm51bGwsImlhdCI6MTYyMzE5NDQ0MCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2FkbWluL2Rldi9pZGVudGl0eS9vaWRjIiwibWV0YWRhdGEiOnt9LCJuYW1lc3BhY2UiOiI1bldvTSIsInN1YiI6Ijc2YTM2ZjBlLTRiMGQtMmUwOS0yMDNiLTg0N2I2ZTI4YmVlYSJ9.keiiJtajxU_ZWWkurgVxU9Y1-PGNgBwpHaHT91wkAzpKVATTxeuJpNWsVyZgR5F6LlTwu_Wg6_KCyZ7ROMIlenILAVxStB5tED07zmUHuRxL9NZdERb1sNtb42OVxJ-x59UH7nNPMFiTtc4yfwD3K8UknoP4I8oDNXyJUWS2d6ssd2rUcxg75Dq1SafAo9aRHZ4Xl3BBRJWb8go0ayqThiIlOQtG2eDHH9xzVFxvJHcTcAbTmOzw-W3VODeIgoefOGFE7oRAfVsXibm7JENqvYRjOis1Y7_n5_Aln51YWOTqLoZeyFLyKcvni4kP9nHs94EgBeKsMjU9eNYpvhjGQw"
}
[?2004h

: 1

The ID_TOKEN was set previously when we created the token. 

In [40]:
printf "${GREEN}Verify the authenticity and active state of the signed ID token.${NC}\n"
curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --header "X-Vault-Namespace: admin/dev" \
    --request POST \
    --data @config/vault/verify.json \
    http://127.0.0.1:8200/v1/identity/oidc/introspect

[0;32mVerify the authenticity and active state of the signed ID token.[0m
{"active":true}[?2004hl[?2004l[?2004l[?2004l[?2004l

: 1

You should see

``{"active":true}``

### Show the Well Known config

Read the Well Known config to retrieve a set of claims about the identity tokens' configuration. This response is a compliant OpenID Provider configuration response.

In [41]:
curl -s \
    --header "X-Vault-Namespace: admin/dev" \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/openid-configuration | jq -r .

[1;39m{[?2004l[?2004l[?2004l
  [0m[34;1m"issuer"[0m[1;39m: [0m[0;32m"http://127.0.0.1:8200/v1/admin/dev/identity/oidc"[0m[1;39m,
  [0m[34;1m"jwks_uri"[0m[1;39m: [0m[0;32m"http://127.0.0.1:8200/v1/admin/dev/identity/oidc/.well-known/keys"[0m[1;39m,
  [0m[34;1m"response_types_supported"[0m[1;39m: [0m[1;39m[
    [0;32m"id_token"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"subject_types_supported"[0m[1;39m: [0m[1;39m[
    [0;32m"public"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"id_token_signing_alg_values_supported"[0m[1;39m: [0m[1;39m[
    [0;32m"RS256"[0m[1;39m,
    [0;32m"RS384"[0m[1;39m,
    [0;32m"RS512"[0m[1;39m,
    [0;32m"ES256"[0m[1;39m,
    [0;32m"ES384"[0m[1;39m,
    [0;32m"ES512"[0m[1;39m,
    [0;32m"EdDSA"[0m[1;39m
  [1;39m][0m[1;39m
[1;39m}[0m
[?2004h

: 1

### Show the Well Known keys

This is the public portion of the named keys. Clients can use this to validate the authenticity of an identity token

In [42]:
curl -s \
    --header "X-Vault-Namespace: admin/dev" \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys | jq -r .keys

[1;39m[[?2004l[?2004l[?2004l
  [1;39m{
    [0m[34;1m"use"[0m[1;39m: [0m[0;32m"sig"[0m[1;39m,
    [0m[34;1m"kty"[0m[1;39m: [0m[0;32m"RSA"[0m[1;39m,
    [0m[34;1m"kid"[0m[1;39m: [0m[0;32m"0719a5b8-00e8-2c7f-ff3d-6f67cfeccbd7"[0m[1;39m,
    [0m[34;1m"alg"[0m[1;39m: [0m[0;32m"RS256"[0m[1;39m,
    [0m[34;1m"n"[0m[1;39m: [0m[0;32m"uVfQ_hbBEE4SGpkIxG51g_5ee0FOUuSDXKHlojGNyIWUU4LPeWiXnXnu2HkEloM7e0NGjLqgzp116aDwX72_nKRlnn33tvVEw9neInrDFShwHSVwpRnKrgLDNrSwjfy8nR66ek8lSAhFkLgGouWnSnvYwGN3UrRbRMaaW1AkEYzl7q3uAGIWK26EexS_C6nEvgy8GonVmb7GxENLHTGUyqYnW27AvPdoDSNChJpp-qFiqYVUti3qMEeQkBsAmnGjf5dkPflLB9WjifYhgFxcXvwK-YdnsI7OgNDFg8I-w_G9m9dD3HrhS0RNFqepL-uGLc-kNIYKi1bseKxBszGULw"[0m[1;39m,
    [0m[34;1m"e"[0m[1;39m: [0m[0;32m"AQAB"[0m[1;39m
  [1;39m}[0m[1;39m,
  [1;39m{
    [0m[34;1m"use"[0m[1;39m: [0m[0;32m"sig"[0m[1;39m,
    [0m[34;1m"kty"[0m[1;39m: [0m[0;32m"RSA"[0m[1;39m,
    [0m[34;1m"kid"[0m[1;39m: [0m[0;32m"13312446-62

: 1

If you pay attention and fluently speak UUID, you will notice that `962cbe97-f3ca-15c3-042d-61e431c194e0` is the `kid` present in the header of the token we have previously issued.

This way you can verify that the signature is valid. Note that Vault implements the [openID discovery protocol](https://swagger.io/docs/specification/authentication/openid-connect-discovery/) which can give you access to even more information.

## Rotate a Named Key

Rotate a named key.

Negative Testing

In [47]:
printf "${RED}This should fail.${NC}\n"
# export VAULT_TOKEN=root
#vault write -f -format=json identity/oidc/key/role-002/rotate
vault write -f -format=json identity/oidc/key/named-key-app-1/rotate

[0;31mThis should fail.[0m
Error writing data to identity/oidc/key/named-key-app-1/rotate: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/identity/oidc/key/named-key-app-1/rotate
Code: 403. Errors:

* 1 error occurred:
	* permission denied


[?2004h

: 1

In [48]:
printf "${YELLOW}Sign in as ops user and set VAULT_TOKEN.${NC}\n"
token=$(vault login -format=json -method=userpass username=ops-1 password=ops-1 | jq -r .auth.client_token)
export VAULT_TOKEN=$token

[0;33mSign in as ops user and set VAULT_TOKEN.[0m
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.

[?2004h[?2004l

: 1

Positive Testing

In [49]:
printf "${YELLOW}Show current Well Known Keys - Before Rotation.${NC}\n"
well_known_keys=$(curl -s -H "X-Vault-Namespace: admin/dev" -X GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys | jq -r .keys[].kid)
echo "$well_known_keys"
printf "${YELLOW}Number of keys:${NC} $(echo $well_known_keys | wc -w)"

[0;33mShow current Well Known Keys - Before Rotation.[0m
0719a5b8-00e8-2c7f-ff3d-6f67cfeccbd7
13312446-6297-cb4b-8caa-c627da7d4007
2f69c20c-5402-22f6-3a3b-4b02fe4f71b0
41f225f5-2f5d-a265-0985-38170d630f4f
4aa9fa5a-0d1c-20b4-08cd-657bb8660b51
dff866d3-a1b9-5e4a-b764-e52631efde19
[0;33mNumber of keys:[0m        6[?2004h

: 1

In [51]:
printf "${GREEN}This should now work.${NC}\n"
# export VAULT_TOKEN=root
#vault write -f -format=json identity/oidc/key/role-002/rotate
vault write -f -format=json identity/oidc/key/named-key-app-1/rotate

[0;32mThis should now work.[0m
[?2004h[?2004l[?2004l[?2004l

: 1

In [52]:
printf "${YELLOW}Show current Well Known Keys - After Rotation.${NC}\n"
well_known_keys=$(curl -s -H "X-Vault-Namespace: admin/dev" -X GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys | jq -r .keys[].kid)
echo "$well_known_keys"
printf "${YELLOW}Number of keys:${NC} $(echo $well_known_keys | wc -w)"

[0;33mShow current Well Known Keys - After Rotation.[0m
0719a5b8-00e8-2c7f-ff3d-6f67cfeccbd7
13312446-6297-cb4b-8caa-c627da7d4007
2f69c20c-5402-22f6-3a3b-4b02fe4f71b0
41f225f5-2f5d-a265-0985-38170d630f4f
4aa9fa5a-0d1c-20b4-08cd-657bb8660b51
de508e89-7ba8-270a-b42b-3d5a3f8f0cec
dff866d3-a1b9-5e4a-b764-e52631efde19
[0;33mNumber of keys:[0m        7[?2004h

: 1

There should be one more key than above.

NOTE: The reason you see multiple keys is due to the auto-rotation. We set a rotation period of 10 minutes and a verification_ttl of 30 minutes. After 30 minutes, you will see at least 3 keys for each named key.

In [54]:
# Delete an idenity key
VAULT_TOKEN=root vault delete identity/oidc/key/named-key-app-1

[91mError deleting identity/oidc/key/named-key-app-1: Error making API request.

URL: DELETE http://127.0.0.1:8200/v1/identity/oidc/key/named-key-app-1
Code: 400. Errors:

* unable to delete key "named-key-app-1" because it is currently referenced by these roles: role-app[0m
[?2004h

: 1

In [57]:
# Delete an identity role and then the key.
VAULT_TOKEN=root vault delete identity/oidc/role/role-app
VAULT_TOKEN=root vault delete identity/oidc/key/named-key-app-1

[0mSuccess! Data deleted (if it existed) at: identity/oidc/role/role-app[0m
[0mSuccess! Data deleted (if it existed) at: identity/oidc/key/named-key-app-1[0m
[?2004h

: 1

You have completed this lab. Please proceed to Cleanup if necessary.

## Cleanup

### Delete admin/dev namespace

In [None]:
export VAULT_TOKEN=root
VAULT_NAMESPACE=admin vault namespace delete dev

### Shutdown Docker

In [58]:
docker stop vault

# Remove the container - not needed since --rm was used
# docker rm vault

vault04l
[?2004h[?2004l[?2004l[?2004l

: 1

## END