Hi,
I have a question on how to expose vault(cli and UI) publicly without using any VPN or IP filtering. This would fit in the zero trust networking architecture we want to roll out for other apps as well.
The setup I currently have is hosted on an EKS cluster using consul and KMS auto unseal. I've enabled to OKTA auth backend and the integration works perfectly.
Now the trick is how can I expose this easily using OIDC integration. I was thinking of setting up an OIDC proxy(oauth2_proxy/vouch/pomerium) and link this to OKTA. Once logged in it redirects back to vault.
This works but will redirect to the login screen of course. Is it possible to pass the JWT token and login directly without going via the UI and login again? Another issue is the CLI since this will break the login flow?
If anyone has done something similar, I'd be happy to know.