We’ve setup OIDC as our login method for the web interface, and now we’re looking to disable token logins. I think I just need to run vault auth disable token/ but Im hoping that doesnt stop tokens for the CLI.
The token auth backend is core functionality of Vault which cannot be disabled.
This is because a token is what results from logging in with any other auth method.
Logging in with the token auth method isn’t really logging in - it’s really saying “I already logged in and here’s the evidence”.
Noted. Perhaps “disabled” should be replaced with “hidden” then?
Updating settings under /sys/auth – would that work better?
No such setting exists
Is the ‘listing_visibility’ setting not valid for the token login? /sys/auth - HTTP API | Vault by HashiCorp