Confirm client idenity with an OIDC identity provider
Implementing zero-trust architecture requires providing identity-based access to services within an organization. OpenID Connect (OIDC) allows clients to confirm their identity through an identity provider. Vault 1.9.0 introduced the ability to configure Vault as an OIDC identity provider with authorization code flow.
In this tutorial, you will setup Vault as an OIDC provider. To demonstrate this feature, you will configure Boundary to leverage Vault as an identity provider and perform secure authentication.
Note
Boundary operates as a confidential OIDC client in this tutorial. To configure a public OIDC client, refer to the OIDC Provider documentation.
Prerequisites
To perform the tasks described in this tutorial, you need to have:
A Boundary environment. Refer to the Getting Started tutorial to install Boundary.
A Vault environment of version 1.10 or later. Refer to the Getting Started tutorial to install Vault locally or create a Vault cluster on HCP.
Note
This feature was first introduced in Vault 1.9 as a Technical Preview feature. As of Vault 1.10, it is generally available.
Policy requirements
For the purpose of this tutorial, you will use root
token to work with Vault
running in development mode.
When you are working with non-development Vault environment, your token policy must include the following permissions:
If you are not familiar with policies, complete the policies tutorial.
Lab setup
Start Vault
In another terminal, start a Vault dev server with root
as the root token.
The Vault dev server defaults to running at 127.0.0.1:8200
. The server is
initialized and unsealed.
Insecure operation
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and runs in an insecure way.
Open another terminal session, and export an environment variable for the
vault
CLI to address the Vault server.
Export an environment variable for the vault
CLI to authenticate with the
Vault server.
Note
For these tasks, you can use Vault's root token. However, it is recommended that root tokens are only used for enough initial setup or in emergencies. As a best practice, use an authentication method or token that meets the policy requirements.
The Vault server is ready.
Configure Vault authentication
Vault auth methods authenticate, assign identity and policies to a client. When Vault acts as an OIDC provider, it is the source of identity and these auth methods verify that identity.
Enable the userpass auth method at the default path.
Create a policy granting the user read capabilities on the authorization endpoint.
Example expected output:
Create a user named
end-user
with the passwordpassword
, and add theoidc-auth
policy.Example expected output:
This user authenticates with Vault and is assigned the default access policy along with the oidc-auth policy.
Learn More
For more information refer to the Userpass Auth Method documentation.
Create Vault identity entity and group
A client may have multiple accounts with various identity providers that are enabled on the Vault server. Vault clients can be mapped as entities and their corresponding accounts with authentication providers can be mapped as aliases.
Create an identity entity with details about the
end-user
.The
end-user
metadata contains their email address and phone number.Create a variable named
ENTITY_ID
that stores the ID assigned to the entity.Create an identity group with the name
engineering
with end-user as a member.Create a variable named
GROUP_ID
that stores the ID assigned to the group.The
end-user
entity is a member of theengineering
group. An entity alias maps an entity to client of an authentication method. This mapping requires the entity ID and the authentication accessor ID.Create a variable named
USERPASS_ACCESSOR
that stores the accessor value of the userpass authentication method.Create an entity alias that maps the
end-user
entity with theend-user
userpass user.The entity and the userpass user are aliases of one another.
Learn More
Explore identity in the entities and groups tutorial.
Create a Vault OIDC client
A Vault OIDC client connects a resource called an OIDC assignment, an encryption key, client callback URL and the time-to-live on verification together.
An OIDC assignment describes the list of the Vault entities and groups allowed to authenticate with this client.
Create an assignment named
my-assignment
that authorize theend-user
entity and andengineering
group.The Vault OIDC authentication process requires an encryption key to sign and verify the JSON web tokens (JWT) that are produced by the authentication flow.
Create a key named
my-key
.The key is usable by all Vault OIDC clients as
allowed_client_ids
is set to*
.Create an OIDC client named
boundary
.The
redirect_uris
describe the callback URL for the client. The valuehttp://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback
is the address of a Boundary service running on its default port. Theassignments
limits access the entities and groups defined inmy-assignment
. Theid_token_ttl
sets the expiration on the ID token to 30 minutes. Theaccess_token_ttl
sets the expiration of the Access token to 1 hour.Create a variable named CLIENT_ID to store the
client_id
field of theboundary
client.
Create a Vault OIDC provider
A Vault OIDC provider supports one or more clients and Vault OIDC scopes. These scopes define metadata claims expressed in a template. Claims are key-value pairs that contain information about a user and the OIDC service.
Create a variable named
USER_SCOPE_TEMPLATE
that stores the user scope template.This template retrieves the
email
andphone_number
from the metadata of an entity.Define a Vault OIDC scope named
user
with the user scope template.Create a variable named
GROUPS_SCOPE_TEMPLATE
that stores the group scope template.This template retrieves the names of all the groups defined.
Define a Vault OIDC scope named
groups
with the groups scope template.The Vault OIDC provider requires a list of client IDs and scopes.
Create an Vault OIDC provider named
my-provider
.The provider grants the
boundary
client access.Display the Vault OIDC configuration endpoint.
Show Vault OIDC public keys.
Start Boundary
Boundary enables secure access to dynamic infrastructure. The development server brings up a fully functioning instance of Boundary. Refer to the Install Boundary tutorial if you are not familiar with installing Boundary.
In another terminal, start Boundary in development mode.
Switch back to the other terminal and authenticate with the Boundary as the admin user.
The Boundary server is ready.
Configure Boundary OIDC auth
Boundary supports authentication through OIDC.
Create a variable named
ISSUER
that stores theissuer
field of the Vault OIDC provider namedmy-provider
.Create a variable named
CLIENT_SECRET
that stores theclient_secret
field of Vault OIDC client namedboundary
.Create a new oidc authentication method configured to use the Vault OIDC provider.
Create a variable named
AUTH_METHOD_ID
that stores the ID of the authentication method.Change the state of the auth method to
active-public
.Enable the auth method to operate in the
global
scope.
Boundary OIDC authentication is configured and ready for the end-user
to
authenticate.
Authenticate with Boundary
Launch the Boundary UI at http://127.0.0.1:9200 to authenticate.
By default the Boundary UI places you in the
Global
scope.Select Vault OIDC Provider.
Click Authenticate
Boundary redirects to the Vault authentication page in a new window.
Navigate to the Vault authentication window created by Boundary.
Pop-up Blocking
If you do not see the new window ensure that the browser has not blocked it.
Select Username from the Method drop-down list.
Enter
end-user
in the Username text field.Enter
password
in the Password text field.Click Sign In.
The authentication process completes and redirects back to Boundary.
Next steps
In this tutorial, you configured Vault as an OIDC provider with Boundary as a client. Learn more about configuring Vault as an OIDC provider by reading the documentation. Boundary is able to provide access to dynamic infrastructure.
To learn more about Boundary, visit Boundary Learn.