"groups," claim not found in token error

I am trying to configure OIDC login with Azure AD in Hashicorp Vault, but I get this error:

"groups," claim not found in token

Its happen just when I try to apply one policy using groups. Using default group (reader group) it works

This is all steps that I did:

Policy configuration:

vault policy write manager manager.hcl

Content of manager.hcl:

path "/secret/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

vault policy write reader reader.hcl

Content of reader.hcl:

path "/secret/*" {
    capabilities = ["read", "list"]
}

Activate OIDC:

vault auth enable oidc

vault write auth/oidc/config \
        oidc_discovery_url="https://login.microsoftonline.com/{my-tenant-id}/v2.0" \
        oidc_client_id="{my-client-id}" \
        oidc_client_secret="{my-client-secret}" \
        default_role="reader"

vault write auth/oidc/role/reader \
        bound_audiences="{my-client-id}" \
        allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="email" \
        policies="reader" \
        verbose_oidc_logging="true"

And then to login vault login -method=oidc

With above commands I can login.

The problem comes when I change roles to match OIDC groups (following this doc https://learn.hashicorp.com/vault/identity-access-management/oidc-auth#cli-command-3):

vault write auth/oidc/role/manager \
        bound_audiences="{my-client-id}" \
        allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="email" \
        groups_claim="groups", \
        policies="manager" \
        verbose_oidc_logging="true" \
        oidc_scopes="https://graph.microsoft.com/.default"

vault write identity/group name="manager" type="external" \
        policies="manager" \
        metadata=responsibility="Manager"

vault write identity/group-alias name="{my-group-hash-1}" \
        mount_accessor={id-of-oidc-config} \
        canonical_id="{group-id-from-above-command}"

And then when I try to login got the error "groups," claim not found in token When I put the token in jwt.io debugger, there is a list of groups like this:

  "groups": [
    "my-group-hash-1",
    "my-group-hash-2",
    ...
  ],

How can I fix this to define polices based on groups from token? Vault version is 1.4.2

Can’t really help specifically here… But you might post some sanitized logging output (from verbose_oidc_logging on) for eyes to see what might be wrong.

Mike, there is log output:

7/8/2020 11:45:18 AM {“time”:“2020-07-08T14:45:18.506835741Z”,“type”:“request”,“auth”:{“token_type”:“default”},“request”:{“id”:“5b…”,“operation”:“read”,“namespace”:{“id”:“root”},“path”:“auth/oidc/oidc/callback”,“data”:{“code”:"",“state”:“5b15…”},“remote_address”:“192.168.77.165”}}

7/8/2020 11:45:18 AM 2020-07-08T14:45:18.725Z [DEBUG] auth.oidc.auth_oidc_bb051602: OIDC provider response: ID token=

7/8/2020 11:45:18 AM 2020-07-08T14:45:18.889Z [DEBUG] auth.oidc.auth_oidc_bb051602: OIDC provider response: claims= “{“aio”:“ATQ…”, “aud”:“6b89…”, “email":"madalozzo@my-company.com”, “exp”:1594223118, “family_name”:“Madalozzo”, “given_name”:“myname”, “groups”:[“my-group-hash-1”,“my-group-hash-2”,…], “iat”:1594219218, “iss”:“https://login.microsoftonline.com//v2.0”, “name”:“Madalozzo”, “nbf”:1594219218,“picture”:“https://graph.microsoft.com/v1.0/me/photo/$value”, “sub”:“2kp9YH…”, “tid”:”", “uti”:“C-Iy…”, “ver”:“2.0”}"

7/8/2020 11:45:18 AM {“time”:“2020-07-08T14:45:18.889390887Z”,“type”:“response”,“auth”:{“token_type”:“default”},“request”:{“id”:“5b30…”,“operation”:“read”,“namespace”:{“id”:“root”},“path”:“auth/oidc/oidc/callback”,“data”:{“code”:"",“state”:“5b15…”},“remote_address”:“192.168.77.165”},“response”:{“data”:{“error”:"“groups,” claim not found in token"}}}

Only thing that stands out in the config is the oidc_scopes… For Ping/Okta/etc it is more like:
oidc_scopes="profile,groups"
Where’d you get this for Azure?

I’ve configured OIDC with Azure AD yesterday, but I’m using AAD roles instead of groups, so my configuration doesn’t match yours exactly.

One thing I didn’t see you mention is the definition of groupMembershipClaims in the App registration manifest in AAD. Have you checked if it’s there? It should be All or Security as per this documentation: https://www.vaultproject.io/docs/auth/jwt_oidc_providers#azure-active-directory-aad

Mike, I got this from that documentation: https://www.vaultproject.io/docs/auth/jwt_oidc_providers#azure-active-directory-aad

In the OIDC Role config the scope "https://graph.microsoft.com/.default" should be added to add groups to the jwt token and groups_claim should be set to groups .

Changing oidc_scopes to ‘profile,groups’ this error occurs: * Vault login failed. No code or id_token received.

Eric, my coworker did this, I think its set to ‘All’ because there is ‘groups’ property in token, but I will verify this tomorrow. Btw, can you share your configuration?

Sure!
Note that my oidc_scopes has profile and email as well.

This is my role named oidc in my test environment:

vault read auth/oidc/role/oidc
Key                        Value
---                        -----
allowed_redirect_uris      [https://vault-server:8200/ui/vault/auth/oidc/oidc/callback  http://localhost:8250/oidc/callback]
bound_audiences            <nil>
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               roles
not_before_leeway          0
oidc_scopes                [https://graph.microsoft.com/.default profile email]
policies                   [default]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default]
token_ttl                  0s
token_type                 default
user_claim                 email
verbose_oidc_logging       false

Created with:

vault write auth/oidc/role/oidc user_claim="email" \
allowed_redirect_uris="https://vault-server:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
groups_claim="roles" \
policies=default \
oidc_scopes="https://graph.microsoft.com/.default,profile,email"

This is my oidc auth backend configuration. It uses the role above (oidc) as default:

vault read auth/oidc/config
    Key                       Value
    ---                       -----
    bound_issuer              n/a
    default_role              oidc
    jwks_ca_pem               n/a
    jwks_url                  n/a
    jwt_supported_algs        []
    jwt_validation_pubkeys    []
    oidc_client_id            12345678-5cJA-44dd-2222-111111111111
    oidc_discovery_ca_pem     n/a
    oidc_discovery_url        https://login.microsoftonline.com/XXXXXXXX/v2.0
    oidc_response_mode        n/a
    oidc_response_types       []

Created with:

vault write auth/oidc/config \
    oidc_client_id="your_client_id" \
    oidc_client_secret="your_client_secret" \
    default_role=“oidc” \
    oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0”

Then I’ve created the groups and alias via UI. The alias of the type of configured OIDC, named exactly the same as the Azure AD role. If my user doesn’t have any role in that app I get a similar message like yours.

I hope it helps.

Hi Eric, thank you for your help. I’m struggling with the same today. What a coincidence.

Can you clarify what you mean with “If my user doesn’t have any role in that app I get a similar message like yours.”

My user in AAD has several groups (same like roles?) and they are coming through:

2020-07-09T17:49:18.215+0200 [DEBUG] auth.oidc.auth_oidc_6bc84956: OIDC provider response: claims=“{“aud”:”…“,“email”:“Rudy.Gevaert@…”,“exp”:15…,“family_name”:“Gevaert”,“given_name”:“Rudy”,“iat”:…,“iss”:“https://login.microsoftonline.com/...../v2.0",“name”:"Rudy Gevaert”,“nbf”:…,“oid”:”…“,“picture”:“https://graph.microsoft.com/v1.0/me/photo/$value",“preferred_username”:"Rudy.Gevaert@…”,“roles”:[“62e…”,”…“,”…“,],“sub”:”…“,“tid”:”…“,“uti”:”…“,“ver”:“2.0”}”

thank you!

Ok replying to myself. I was able to log in.

client_id='....'
client_secret='...'
role="demo"
policies="default,apolicy"
tenant_id="..."
redirect_uris="http://localhost:8250/oidc/callback,http://localhost:8200/ui/vault/auth/oidc/oidc/callback"

vault auth enable oidc

vault write auth/oidc/config \
    oidc_client_id="${client_id}" \
    oidc_client_secret="${client_secret}" \
    default_role="${default_role}" \
    oidc_discovery_url="https://login.microsoftonline.com/${tenant_id}/v2.0"

vault write auth/oidc/role/"${role}" user_claim="email" \
    allowed_redirect_uris="${redirect_uris}" \
    policies="${policies}" \
    groups_claim="roles" \
    verbose_oidc_logging="true" \
    oidc_scopes="https://graph.microsoft.com/.default,profile,email"

Still have an issue with the aliasing part. @eric you already shared with us (thank you!)

Then I’ve created the groups and alias via UI. The alias of the type of configured OIDC, named exactly the same as the Azure AD role

“named exactly the same as the Azure AD role” is that the Object ID or the readable name of the groups?

thanks in advance

Solved!

It was a comma in wrong place

vault write auth/oidc/role/manager \
        bound_audiences="{my-client-id}" \
        allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="email" \
        groups_claim="groups", \ <--------------------------------------
        policies="manager" \
        verbose_oidc_logging="true" \
        oidc_scopes="https://graph.microsoft.com/.default"

Thanks to Ixop user on Stackoverflow: https://stackoverflow.com/a/62824168/4796486

It’s the readable name.