luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/auth/jwt_oidc_providers.html.md
Jim Kalafut bc48dd1cc8
Update OIDC docs (#6485)
2019-03-27 11:47:05 -07:00

2.5 KiB
Raw Blame History

layout page_title description
docs OIDC Provider Setup - Auth Methods OIDC provider configuration quick starts

OIDC Provider Configuration

This page collects high-level setup steps on how to configure an OIDC application for various providers. These providers are often highly configurable and you should become familiar with their recommended settings and best practices. The instructions below are intended only to help you get started. Corrections and additions may be submitted via the Vault Github repository.

Azure Active Directory (AAD)

Reference: Azure Active Directory v2.0 and the OpenID Connect protocol

  1. Register or select an AAD application. Visit Overview page.
  2. Configure Redirect URIs ("Web" type).
  3. Record "Application (client) ID".
  4. Under "Endpoints", copy the OpenID Connect metadata document URL, omitting the /well-known... portion.
  5. Switch to Certificates & Secrets. Create a new client secret and record the generated value as it will not be accessible after you leave the page.

Auth0

  1. Select Create Application (Regular Web App).
  2. Configure Allowed Callback URLs.
  3. Copy client ID and secret.
  4. If you see Vault errors involving signature, check the application's Advanced > OAuth settings and verify that signing algorithm is "RS256".

Gitlab

  1. Visit Settings > Applications.
  2. Fill out Name and Redirect URIs.
  3. Making sure to select the "openid" scope.
  4. Copy client ID and secret.

Google

Main reference: Using OAuth 2.0 to Access Google APIs

  1. Visit the Google API Console.
  2. Create or a select a project.
  3. Create a new credential via Credentials > Create Credentials > OAuth Client ID.
  4. Configure the OAuth Consent Screen. Application Name is required. Save.
  5. Select application type: "Web Application".
  6. Configure Authorized Redirect URIs.
  7. Save client ID and secret.

Keycloak

  1. Select/create a Realm and Client. Visit Settings.
  2. Client Protocol: openid-connect
  3. Access Type: confidential
  4. Standard Flow Enabled: On
  5. Configure Valid Redirect URIs.
  6. Visit Settings. Select Client ID and Secret and note the generated secret.

Okta

  1. Make sure an Authorization Server has been created.
  2. Visit Applications > Add Application (Web).
  3. Configure Login redirect URIs. Save.
  4. Save client ID and secret.