luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/pages/docs/auth/jwt_oidc_providers.mdx
Junya Ogasawara 0a13195450
Reduce a required permission for OIDC with AzureAD (#9785) 
`Group.Read.All` is too permissive policy to achieve external groups
feature. `GroupMembers.Read.All` is enough for that purpose.

MicroSoft Graph API Permission reference follows
https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-23
2020-08-20 00:00:31 -07:00

223 lines
10 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: OIDC Provider Setup - Auth Methods
description: OIDC provider configuration quick starts
---
# OIDC Provider Configuration
This page collects high-level setup steps on how to configure an OIDC
application for various providers. For more general usage and operation
information, see the [Vault JWT/OIDC method documentation](/docs/auth/jwt).
OIDC providers are often highly configurable and you should become familiar with
their recommended settings and best practices. The instructions below are
largely community-driven and intended to help you get started. Corrections
and additions may be submitted via the [Vault Github repository](https://github.com/hashicorp/vault).
## Azure Active Directory (AAD)
Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)
1. Register or select an AAD application. Visit Overview page.
1. Configure Redirect URIs ("Web" type).
- You may include two redirect URIs, one for CLI access another one for Vault UI access.
- http://localhost:8250/oidc/callback
- https://hostname:port_number/ui/vault/auth/oidc/oidc/callback
1. Record "Application (client) ID" as you will need it as the oidc_client_id
1. Under API Permissions grant the following permission:
- Microsoft Graph API permission [GroupMember.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-23)
1. Under "Endpoints", copy the OpenID Connect metadata document URL, omitting the `/well-known...` portion.
- The endpoint url (oidc_discovery_url) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
1. Switch to Certificates & Secrets. Create a new client secret and record the generated value as
it will not be accessible after you leave the page.
Please note [Azure AD v2.0 endpoints](https://docs.microsoft.com/en-gb/azure/active-directory/develop/azure-ad-endpoint-comparison)
are required for [external groups](/docs/secrets/identity#external-vs-internal-groups) to work.
- `groupMembershipClaims` should be changed from `none` in the
[App registration manifest](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest).
Options are "All" or "SecurityGroup"
- In the [OIDC Role config](/api/auth/jwt#create-role)
the scope `"https://graph.microsoft.com/.default"` should be added to add groups
to the jwt token and `groups_claim` should be set to `groups`.
- Finally Azure AD group can be referenced by using the groups `objectId` as the [group alias name](/api/secret/identity/group-alias) for the external group.
### CLI setup instructions:
You have to fill in the following values make sure to use the correct vault secret
path that matches the name of the authentication method such as /oidc/
- oidc_client_id = Application Client ID
- oidc_client_secret = Secret obtained from the Certificates & Secrets Section
- default_role = default role the user will be using when connecting. (see the second command)
- oidc_discovery_url = Open ID endpoint retrieved from the App Registration sections.
```
vault write auth/oidc/config \
oidc_client_id="your_client_id" \
oidc_client_secret="your_client_secret" \
default_role="your_default_role" \
oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"
```
```
vault write auth/oidc/role/demo user_claim="email" \
allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
policies=default
```
### Azure-specific handling configuration
If a user is a member of more than 200 groups (directly or indirectly), extra configuration is required so that vault can fetch the groups properly.
- Set `"provider_config"` to azure (see below)
- Grant the AAD application `Directory.Read.All` permission under "Azure Active Directory Graph" API Permissions (legacy API).
- Add `"profile"` to `oidc_scopes` so the user's id comes back on the jwt token.
```
vault write auth/oidc/config -<<"EOH"
{
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0",
"provider_config": {
"provider": "azure"
}
}
EOH
```
```
vault write auth/oidc/role/demo \
user_claim="email" \
allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
oidc_scopes="profile" \
policies="default"
```
## Auth0
1. Select Create Application (Regular Web App).
1. Configure Allowed Callback URLs.
1. Copy client ID and secret.
1. If you see Vault errors involving signature, check the application's Advanced > OAuth settings
and verify that signing algorithm is "RS256".
## Gitlab
1. Visit Settings > Applications.
1. Fill out Name and Redirect URIs.
1. Making sure to select the "openid" scope.
1. Copy client ID and secret.
## Google
Main reference: [Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/OAuth2)
1. Visit the [Google API Console](https://console.developers.google.com).
1. Create or a select a project.
1. Create a new credential via Credentials > Create Credentials > OAuth Client ID.
1. Configure the OAuth Consent Screen. Application Name is required. Save.
1. Select application type: "Web Application".
1. Configure Authorized Redirect URIs.
1. Save client ID and secret.
### Google-specific handling configuration
Provider specific configuration is available when using Google as an identity provider from the
Vault JWT/OIDC auth method. The configuration allows Vault to obtain G Suite group membership and
user information during the JWT/OIDC authentication flow. The group membership obtained from G Suite
may be used for Identity group alias association. The user information obtained from G Suite can be
used to copy claims data into resulting auth token and alias metadata via [claim_mappings](/api/auth/jwt#claim_mappings).
#### Setup
To set up the Google-specific handling, you'll need:
- A G Suite account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en)
for granting domain-wide delegation API client access.
- The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts).
The Google-specific handling that's used to fetch G Suite groups and user information in Vault uses
[G Suite Domain-Wide Delegation of Authority](https://developers.google.com/admin-sdk/directory/v1/guides/delegation)
for authentication and authorization. You need to follow **all steps** in the [guide](https://developers.google.com/admin-sdk/directory/v1/guides/delegation)
to obtain the key file for a Google service account capable of making requests to the G Suite
[User Accounts](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) and
[Groups](https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups) APIs.
In **step 5** within the section titled
[Delegate domain-wide authority to your service account](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account),
the only OAuth scopes that should be granted are:
- `https://www.googleapis.com/auth/admin.directory.group.readonly`
- `https://www.googleapis.com/auth/admin.directory.user.readonly`
~> This is an **important security step** in order to give the service account the least set of privileges
that enable the feature.
#### Configuration
- `provider` `(string: <required>)` - Name of the provider. Must be set to "gsuite".
- `gsuite_service_account` `(string: <required>)` - Path to the Google service account key file obtained from setup.
- `gsuite_admin_impersonate` `(string: <required>)` - Email address of a G Suite admin to impersonate.
- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from G Suite.
- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from G Suite using the configured [user_custom_schemas](#user_custom_schemas).
- `groups_recurse_max_depth` `(int: <optional>)` - Group membership recursion max depth. Defaults to 0, which means don't recurse.
- `user_custom_schemas` `(string: <optional>)` - Comma-separated list of G Suite [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas).
Values set for G Suite users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/api/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true.
Example configuration:
```
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/path/to/service-account.json",
"gsuite_admin_impersonate": "admin@gsuitedomain.com",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"user_custom_schemas": "Education,Preferences"
}
}
EOF
```
Example role:
```
vault write auth/oidc/role/your_default_role \
allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
user_claim="sub" \
groups_claim="groups" \
claim_mappings="/Education/graduation_date"="graduation_date" \
claim_mappings="/Preferences/shirt_size"="shirt_size"
```
## Keycloak
1. Select/create a Realm and Client. Select a Client and visit Settings.
1. Client Protocol: openid-connect
1. Access Type: confidential
1. Standard Flow Enabled: On
1. Configure Valid Redirect URIs.
1. Save.
1. Visit Credentials. Select Client ID and Secret and note the generated secret.
## Okta
1. Make sure an Authorization Server has been created. The "Issuer" field shown on the Setting page
will be used as the `oidc_discovery_url`.
1. Visit Applications > Add Application (Web).
1. Configure Login redirect URIs. Save.
1. Save client ID and secret.
Note your policy will need `oidc_scopes` to include `profile` to get a full profile ("[Fat Token](https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token)"). You will also need to configure bound audience along the lines of `"bound_audiences": ["api://default", "0a4........."]` if you are using the default authorization server.
Reference in a new issue View git blame Copy permalink