Identity entity must be associated with the request

Hello everyone,
Hope you are doing fine.

I am using vault v 1.12.2.
I am trying to use vault itself as OIDC provider feature.
I am following below article.

I am able to use the apis like (key,entity,group,assignment,client,provider,scope).
But when i try to use /authorize endpoint i am getting "
identity entity must be associated with the request" validation message. When i see the source code of vault , EntityID needs to be supplied as part of the authorize request. But i dont know how to send the EntityID as part of the request. I mean in header or body or param?

I am using postman to test the flow.

Sample request url:
https://localhost:8200/v1/identity/oidc/provider/test-provider/authorize?response_type=code&client_id=kE2dZMcuPkBjSv7u36y2uT0YRGw7s8zK&state=abcdefg&nonce=hijklmn&scope=openid&redirect_uri=http://localhost:41330/callback

Please help me on this issue.

Thanks
Samy

@austingebauer could you please assist on this one?

The Vault token you provide to the /authorize endpoint must have an identity entity associated with it. Which Vault token are using to authenticate the request?

Also, is there a reason that you’re trying to interact with the /authorize endpoint directly? Generally, this interaction is handled within the OIDC flow which involves a browser. I’d say you’re likely using the OIDC provider incorrectly if you’re interacting with the /authorize endpoint via something like postman.

@austingebauer Thank you very much for your quick response…

I am new to use Vault as OIDC identity provider. I am following below steps. Kindly refer and let me know if i am missing any steps.

Initialized and unsealed the Vault and i got Root-Token and master keys

Step 1: I am using Root-Token to perform following operations.
Step 2: Create a key
Request:
Data: map[string]interface{}{
“allowed_client_ids”: *,
“algorithm”: RS256,
}

Step 3: Create an entity
Request:
Data: map[string]interface{}{
“name”: “test-entity”,
“metadata”: map[string]string{
“email”: “test@hashicorp.com”,
“phone_number”: “123-456-7890”,
},
}
Step 4: Create a group
Request:
Data: map[string]interface{}{
“name”: name,
“member_entity_ids”: Step 3 entity id,
“member_group_ids”: null,
}
Step 5: Create an assignment
Data: map[string]interface{}{
“entity_ids”: string{Step 3 entity id},
“group_ids”: string{Step 4 groupID},
}
Step 6: Create a client
Data: map[string]interface{}{
“key”: “Step 2 key”,
“redirect_uris”: string{“https://localhost:8251/callback”},
“assignments”: string{“Step 5 assignment”},
“id_token_ttl”: “24h”,
“access_token_ttl”: “24h”,
}
Step 7: Create a custom scope
Data: map[string]interface{}{
“template”: “groups”: {{identity.entity.groups.names}},
}

Step 8: Create a provider
Data: map[string]interface{}{
“allowed_client_ids”: string{Step 6 clientID},
“scopes_supported”: string{" Step 7 scope"},
}
Step 9: Invoke Authorize endpoint.
Data: map[string]interface{}{
“client_id”: Step 6 clientID,
“scope”: “openid”,
“redirect_uri”: “https://localhost:8251/callback”,
“response_type”: “code”,
“state”: “abcdefg”,
“nonce”: “hijklmn”,
}
During this endpoint invocation i am getting Identity entity must be associated with the request validation message.

How do i associate entity with vault root token? Or do i need to generate any other vault token to perform these operations?

I am referring identity_store_oidc_provider_test.go source file from vault source code and TestOIDC_Path_OIDC_Authorize method.

Please provide some advice on this.

Note:

1. I am using Postman to testing the flow.
2. I am using vault 1.12.2 version.

Thanks & Regards
Samy

You cannot do this. Instead you must enable and configure an auth method in Vault, then log in using the auth method.

Having done so, your login will then be associated with an entity in the Vault identity system - unlike a root token.

Thank you @maxb , I am able to progress. I have enabled Auth method (userpass) and created new user. Associated this user with another entity and used current user token to make /authorize request and got success.

@maxb i have tested end-to-end flow once and got success. But i have one doubt that is, how the Auth method users are automatically linked with vault OIDC entity?