OIDC auth roles: is it possible to configure list of allowed values for arbitrary claims?

614 views
Skip to first unread message

Roly Vicaria

unread,
Apr 1, 2019, 6:38:26 PM4/1/19
to Vault
Hello,

Question on oidc role configuration: is there a way to restrict a role to particular list of possible values for a given claim? My specific use case is with Google auth, where I don't have a "group" or "department" claim on the incoming JWT, and I think the easiest solution would be if I could configure the role to allow a specific list of allowed emails for the "email" claim. Anything like that possible today or on the roadmap?

Thanks.

Jim Kalafut

unread,
Apr 2, 2019, 1:48:23 AM4/2/19
to vault...@googlegroups.com
Hi,

A more elaborate claims matching definition like you’ve described has been discussed but isn’t available now.

If your auth provider allows custom claims that can be populated via configurable rules (I don’t know enough about GCP to say), then there may be a way to have the allowed list at that level feeding a custom claim, plus a bound claim on the role. Also, if the allowed emails are part of a G Suite, then the “hd” claim may be usable. 

Regards,
Jim

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d879f311-998d-47b9-a570-e37ebe1e1bc5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Roly Vicaria

unread,
Apr 2, 2019, 2:37:57 PM4/2/19
to Vault
Thanks Jim. I did configure a binding with the "hd" claim, but I have no way currently to limit it to a subset of the company. I've been googling how to add custom claims, but haven't found anything yet. I have different roles setup for managing dev, qa, staging, and prod and so far I'm just not telling the full team about the different roles. (I hope they don't find this thread). I think I need a way to specify allowed emails per role. 


On Tuesday, April 2, 2019 at 1:48:23 AM UTC-4, Jim Kalafut wrote:
Hi,

A more elaborate claims matching definition like you’ve described has been discussed but isn’t available now.

If your auth provider allows custom claims that can be populated via configurable rules (I don’t know enough about GCP to say), then there may be a way to have the allowed list at that level feeding a custom claim, plus a bound claim on the role. Also, if the allowed emails are part of a G Suite, then the “hd” claim may be usable. 

Regards,
Jim
On Mon, Apr 1, 2019 at 3:38 PM Roly Vicaria <rol...@gmail.com> wrote:
Hello,

Question on oidc role configuration: is there a way to restrict a role to particular list of possible values for a given claim? My specific use case is with Google auth, where I don't have a "group" or "department" claim on the incoming JWT, and I think the easiest solution would be if I could configure the role to allow a specific list of allowed emails for the "email" claim. Anything like that possible today or on the roadmap?

Thanks.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

Jim Kalafut

unread,
Apr 9, 2019, 6:55:03 PM4/9/19
to vault...@googlegroups.com
Hi Roly (and others who have asked about this capability),

bound_claims capability was just expanded and will be in an upcoming Vault release.  https://github.com/hashicorp/vault-plugin-auth-jwt/pull/41

You’re welcome to build the plugin yourself to try it now.

Regards,
Jim


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9ebc9fd4-2806-4a70-be38-626e9ee90771%40googlegroups.com.

Roly Vicaria

unread,
Apr 14, 2019, 12:06:13 AM4/14/19
to Vault
Works great! Thanks
Reply all
Reply to author
Forward
0 new messages