Review / test request: OAuth / OpenID Connect Authentication Method

Phil Frost

unread,

Sep 6, 2018, 7:25:25 PM9/6/18

to vault...@googlegroups.com

https://github.com/postmates/vault-plugin-oauth/pull/1

I've implemented a Vault plugin which can authenticate against OpenID Connect providers such as Google, Okta, Azure AD, AWS Cognito, Dex, and Auth0.

This plugin implements a complete OAuth client which not only validates identity tokens but handles obtaining them as well. A complete, well-reviewed OAuth client is the best guard against implementation errors in this security-critical component. Since the existing JWT/OIDC method does not implement a client, in practice it gets hacked together with curl and bash, and that's not good.

Furthermore this new plugin implements the OAuth client in the Vault server. I believe this approach provides significant security advantages as the OAuth client secret does not need to be distributed to every potential Vault user.

I'd appreciate code and security reviews, as well as assistance testing against additional providers. I've tried Google and Dex personally. Extending support to OAuth but not OIDC providers (GitHub for example) should not be difficult.

https://github.com/postmates/vault-plugin-oauth/pull/1

Vasilev Vjacheslav

unread,

Sep 7, 2018, 2:11:28 PM9/7/18

to Vault

hi, nice plugin, would you mind to take a look on keycloak implementation? it's possible to map roles directly from jwt

https://github.com/hashicorp/vault-plugin-auth-jwt/issues/9

BALA KRISHNA KARANAM

unread,

Jul 18, 2019, 9:49:20 AM7/18/19

to Vault

Hi Phil,

How to work with OIDC from a client using CLI without windows browser?

Reply all

Reply to author

Forward