Skip to main content

Auth Backend

OIDC/JWT

A Vault JWT/OIDC Auth backend is a feature provided by HashiCorp Vault, a secure data management tool. This authentication backend allows users to authenticate and access Vault's secrets using JSON Web Tokens (JWT) and OpenID Connect (OIDC) protocols.

With this backend, users can configure Vault to authenticate against external identity providers that support OIDC, such as Google, Azure Active Directory, Okta, or others. When a user attempts to access Vault, they are redirected to the OIDC provider's login page, where they authenticate and receive a JWT token.

Once the user obtains the JWT token, they can present it to Vault for authentication. The Vault JWT/OIDC Auth backend

  • verifies the token's validity including its signature and expiration
  • maps the user's identity to a Vault policy.

Based on the policy, the user is granted a set of permissions to access secrets within Vault.

This backend enhances security by leveraging OIDC's robust authentication mechanisms and allows Vault to integrate seamlessly with existing identity providers. It provides a central authentication point, ensuring that only authorized users can access and manage sensitive data stored in Vault.

The primary two we use are gitlab and scalr

::: tip The OIDC login is for personal use. JWT is more fore our pipelines and automation. :::

Terraform Examples

For the Following Terraform Examples, these should be in the vault project managed by your vault admins to create resources in your namespace.

path is the path that is referenced when creating a auth_role for the backend.

GITLAB

resource "vault_jwt_auth_backend" "jwt-v2" {
provider = vault.sub_namespace
description = "Authorize JWT generated by GitLab. Managed with terraform. for id tokens"
path = "jwt-v2"
jwks_url = "https://gitlab.com/oauth/discovery/keys"
bound_issuer = "https://gitlab.com/"
tune {
default_lease_ttl = "30m"
max_lease_ttl = "1h"
audit_non_hmac_request_keys = ["role"]
audit_non_hmac_response_keys = ["error"]
token_type = "default-service"
}
}

Spakl Auth

resource "vault_jwt_auth_backend" "jwt_spakl" {
provider = vault.sub_namespace
description = "Authorize JWT generated by GitLab. Managed with terraform. for id tokens"
path = "jwt-spakl"
jwks_url = "https://auth.spakl.io/oauth/v2/keys"
bound_issuer = "https://auth.spakl.io"
tune {
default_lease_ttl = "30m"
max_lease_ttl = "1h"
audit_non_hmac_request_keys = ["role"]
audit_non_hmac_response_keys = ["error"]
token_type = "default-service"
}
}

Scalr

resource "vault_jwt_auth_backend" "scalr-jwt-auth" {
provider = vault.sub_namespace
description = "Scalr JWT auth method"
path = "scalr-jwt"
type = "jwt"
bound_issuer = "https://scalr.io"
jwks_url = "https://scalr.io/.well-known/jwks"
tune {
listing_visibility = "hidden"
default_lease_ttl = "45m"
max_lease_ttl = "2h"
audit_non_hmac_request_keys = ["roles"]
audit_non_hmac_response_keys = ["error"]
token_type = "batch"
}
}