OIDC auth and groups claim

[Eirik Sletteberg]

I want to use the new OIDC auth support feature that's coming soon, I tried the beta version.

The OIDC token I get from Azure AD looks somewhat like this:

{
  "aud": "xxxxx",
  "iss": "xxxxxx",
  "iat": 1552473629,
  "nbf": 1552473629,
  "exp": 1552477529,
  "aio": "xxxxxxx",
  "groups": [
    "928636f4-fd0d-4149-978e-a6fb68bb19de"
  ],
  "name": "xxxx",
  "nonce": "456",
  "oid": "xxxxxx",
  "preferred_username": "xxxxxxx",
  "sub": "xxxxx",
  "tid": "xxxxxxxx",
  "upn": "xxxxxxxxx",
  "uti": "xxxxxx",
  "ver": "2.0"
}

Based on the items in the "groups" field, I want to grant additional policies to the user who has logged in.

Is it supposed to be an automatic mapping between groups in the OIDC token, and groups in Vault?

(I can't make it work...)

[Jim Kalafut]

Hi,

Are you setting groups_claim on the role?

https://www.vaultproject.io/api/auth/jwt/index_beta.html#groups_claim

Regards,

Jim

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9ed3b640-64b3-45c2-b9fb-2b08ea3eab97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Eirik Sletteberg]

Yes, this is what I have configured for the default role:

{
  "policies": [
    "xxxx",
    "xxxxx"
  ],
  "allowed_redirect_uris": [
    "http://localhost:8250/oidc/callback"
  ],
  "bound_subject": "xxxxxxxx",
  "bound_audiences": "xxxxxxxx",
  "user_claim": "upn",
  "groups_claim": "groups",
  "bound_claims": {
  },
  "claim_mappings": {
    "upn": "upn",
    "name": "name",
    "xxxxx": "xxxxx"
  }
}

[Jeff Mitchell]

Hi Eirik,

Currently externally sourced groups are not automatically created in
Vault's identity system. We will likely make this configurable at some
point, but the short of it is that a fair number of users in larger
enterprises are attached to hundreds or thousands of groups and if not
all of those were groups they wanted synced to Vault (to allow for
policy grants) then automatically creating them can turn into a
management nightmare. Until it's configurable, you can figure out the
groups you want, then iterate over them, calling
https://www.vaultproject.io/api/secret/identity/group.html#create-a-group
to create a group and
https://www.vaultproject.io/api/secret/identity/group-alias.html#create-a-group-alias
to tie the group name coming from the auth method to the desired local
Vault group.

Best,
Jeff

On Wed, Mar 13, 2019 at 11:06 AM Eirik Sletteberg

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/90fbcccb-053d-45dc-b88e-f796238cff49%40googlegroups.com.

[Eirik Sletteberg]

Hey!

That’s what I did - create a group and a group alias manually. Unfortunately, it seems like Vault couldn’t match the two…

{
  "name": "928636f4-fd0d-4149-978e-a6fb68bb19de",
  "type": "external",
  "metadata": {
    "hello": "world"
  },
  "policies": ["foobar", "grouppolicy2"]
}

And then I added a group alias with the same name "928636f4-fd0d-4149-978e-a6fb68bb19de» using the oidc auth accessor and referring to this group, but it seems like Vault doesn’t add my user Entity to the group… could there be a bug somewhere, or maybe I didn’t configure it correctly?

- Eirik

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHxXoKGcdARudgaDz-gf_o4%2BfG30DPeN9_2BLdBFFq0ng%40mail.gmail.com.

[Jeff Mitchell]

Hi there,

The matching piece between a group and alias is the canonical_id --
this value in the alias should match the group's ID value. The name in
the alias should match the name of the group that is coming from the
OIDC token.

So basically:

- Plugin parses the groups from the token
- Plugin puts these group names as part of the auth response
- For each group name in the auth response, Identity looks for a group
alias configured for that mount with the same name
- If found, the canonical_id is used to look up the actual group, and
the entity is added to that group

Best,
Jeff

On Wed, Mar 13, 2019 at 11:16 AM Eirik Sletteberg

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/525C0E13-34CC-4401-BB11-AF02256A1787%40gmail.com.

[Eirik Sletteberg]

I’m quite sure that this is the way I have configured it already. I even tried creating the group alias via the Vault UI, which make sure that the canonical_id and auth accessor are set correctly…

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GFCSR-uMniYf5DcgcPRe4UxAjscgmvnF1R2xjRc4wnm2g%40mail.gmail.com.

[Jim Kalafut]

Hi,

Can you check the debug logs? After authentication you should see something like:

[DEBUG] identity: creating a new entity: alias="id:"321fae53-e579-9feb-5d46-d4a4bf01da42" canonical_id:"49f42287-8899-39cd-d38f-37cf8055d0b1” mount_type:"jwt" mount_accessor:"auth_jwt_bb6ae3cc"…

Regards,
Jim

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/BACCE423-706B-4E69-BE60-F019B2D81DA5%40gmail.com.

[Eirik Sletteberg]

It looks a little bit different since it’s OIDC:

[DEBUG] identity: creating a new entity: alias="id:"1fdf2d84-5f87-4789-af3e-6cc60590419f" canonical_id:"603b75a3-9ff5-22d9-2159-f500df30f0f2" mount_type:"oidc" mount_accessor:"auth_oidc_8c65cc06" mount_path:"auth/oidc/" metadata:<key:"group1" value:"[\"928636f4-fd0d-4149-978e-a6fb68bb19de\"]" > metadata:<key:"name" value:"xxxxxxxx" > metadata:<key:"yyyyyy" value:"zzzzzz" > metadata:<key:"upn" value:"xxxxxx" > name:"xxxxxxxxx" creation_time:<seconds:1552491728 nanos:280567500 > last_update_time:<seconds:1552491728 nanos:280567500 > namespace_id:"root" "
[DEBUG] identity: refreshing external group memberships: entity_id=603b75a3-9ff5-22d9-2159-f500df30f0f2 group_aliases=["mount_accessor:"auth_oidc_8c65cc06" name:"[\"928636f4-fd0d-4149-978e-a6fb68bb19de\"]" "]

It seems like it’s trying to match the group alias I created manually. But when I check in the Vault UI, the entity hasn’t been added as a member of the group. The double JSON serialization in the «name» field looks strange?

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/2A833F19-3551-44BE-BD26-1601DDF4BC73%40hashicorp.com.

[Eirik Sletteberg]

I managed to solve this eventually. I was using Azure AD as OIDC provider, with v1 tokens - with v2 tokens, it worked.

[Jim Kalafut]

Oh nice, and good to know about the AAD token versions. I do plan to add Azure to the provider setup docs, so that’s a useful but of info. 

Regards, 

Jim

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/720288cb-33e7-4b48-a7a5-0f3e8b1379b0%40googlegroups.com.

[Jim Kalafut]

Hi Eirik,

I'd like to update the OIDC configuration docs with AAD information. During my test setup, I didn't run into a v1/v2 distinction and am I not sure how to be described that part of the setup. If you have any additional tips, feel free to comment on the PR:  https://github.com/hashicorp/vault/pull/6485/files#diff-417265f8ec9781438e66b98b19dcd79fR15

Thanks,

Jim

[Dima Kassab]

I'm trying to setup oidc/AAD auth, but getting this error, after I click on 'sign in':

The callback from the provider did not supply all of the required parameters. Please click Sign In to try again. If the problem persists, you may want to contact your administrator.

This is my configurations:

vault write auth/oidc/config \
    oidc_discovery_url="https://{{ azure_url }}/{{ azure_tenant_id }}/" \
    oidc_client_id="{{ azure_client_id }}" \
    oidc_client_secret="{{ azure_client_secret }}" \
    default_role="reader"

vault write auth/oidc/role/reader \
        allowed_redirect_uris="{{ lookup('env', 'VAULT_ADDR') }}/ui/vault/auth/oidc/oidc/callback" \
        user_claim="email" \
        policies="{{ policiesEnv  | join(',') }}"

Any help is greatly appreciated!

Thank you,

Dima

[Becca Petrin]

Hi Dima,

This doesn't directly answer your question, but we do have docs on how to authenticate to Vault using an Azure Active Directory native auth method: https://www.vaultproject.io/docs/auth/azure.html. I was curious about why you selected OIDC instead? Is it possible to move over to the other one?

Thanks!

Becca

[Dima Kassab]

Hi Becca,

Thank you for responding :)

We were able to resolve the issue above. We weren't configuring AAD correctly.

We're under the impression that the Azure native auth method doesn't provide access through the UI. Please correct me if I'm wrong.

Thank you,

Dima

[Becca Petrin]

Hi Dima,

Good question! I don't have credentials to use for fully testing it, but when I go into the present Vault UI, I do see it listed under the auth methods that can be enabled through the UI. I would expect that configuring roles could also be done there. However, I do also see that Azure isn't present in the login drop-down. 

Thanks for pointing that out! I'll make sure we have a ticket open internally as a feature request.

-Becca

[Dustin Minnich]

Is 

>Currently externally sourced groups are not automatically created in Vault's identity system.  

still true?

The docs at  https://www.vaultproject.io/api/auth/jwt/index.html  state

"groups_claim (string: <optional>) - The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings."

I'm not seeing aliases being created upon login.  

> To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Jim Kalafut]

Hi,

That's correct. External groups and and group aliases must be created in advance. Entity aliases are created automatically upon logon. If there exist group aliases for any of the groups in the "groups_claim" data, then the entity is added to those groups.

Regards,

Jim

[Srikant Patil]

Hi Eirik Sletteberg,

I have authenticate Vault with Azure AD and users are able to access but i am not able to manage vault secrets access with AD roles, Does it support?

Thanks in advance

[Caleb Filz]

You have to create an external group in vault and give the group an alias with the name that matches back to the group ID in aad. I just wrote a ps script to do this yesterday. 

--

[Srikant Patil]

Thanks Caleb, What i understood is below

1) Create external group i.e "reader"

2) Group "reader" alias would be ""xx.sfqef.wqerqw.er" Group ID

So when i log with a user which is part of the group then Vault should be accessible

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Caleb Filz]

In the example you sent earlier the alias name would be 928636f4-fd0d-4149-978e-a6fb68bb19de. Aka the group id from aad. Also note that on your role configuration you do have to have group_claims set to "groups". Also when creating the group alias make sure to set the with back end to the mount for your aad oidc connector.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3ad46843-212e-44ff-8f52-ef8d92b2e503%40googlegroups.com.

[Srikant Patil]

Awesome Caleb, Thanks for helping me out.

If you don;t mind could you please explain what your powershell script does? what is use of powershell  script in vault , Is it creating group and oidc role?

Thanks

On Thursday, 2 April 2020 21:15:24 UTC+5:30, Caleb Filz wrote:

In the example you sent earlier the alias name would be 928636f4-fd0d-4149-978e-a6fb68bb19de. Aka the group id from aad. Also note that on your role configuration you do have to have group_claims set to "groups". Also when creating the group alias make sure to set the with back end to the mount for your aad oidc connector.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3ad46843-212e-44ff-8f52-ef8d92b2e503%40googlegroups.com.