JWT Authentication with Vault for Group-Based Policies

Vault
1

Hello everyone,

I’m currently integrating Keycloak IDP with Vault, using OIDC and JWT authentication methods on my local lab.

When using the OIDC method, everything works perfectly: I can authenticate and my users gain access to a dedicated secret engine based on their Keycloak group membership. However, with the JWT authentication method, authentication works fine but the policies are not applied, as if Vault was ignoring the groups claim.

Here is my JWT acces token content:

{
  exp 1721745722
  iat 1721745422
  jti 42bff936-7380-42af-b2b6-a038050d8d30
  iss http://<keycloak>/realms/projects
  aud account
  sub a9bb0f89-87a9-4af9-b125-4a8fd15f2ed4
  typ Bearer
  azp vault-oidc
  session_state 538a0b30-5976-4c23-b14c-8f161b80c372
  acr 1
  allowed-origins
     http://<vault>
  realm_access
    roles
       default-roles-clients
       offline_access
       uma_authorization
  resource_access
    account
      roles
         manage-account
         manage-account-links
         view-profile
  scope openid profile email
  sid 538a0b30-5976-4c23-b14c-8f161b80c372
  email_verified true
  name service supermario
  groups
     /supermario
     /supermario/users
     default-roles-clients
     offline_access
     uma_authorization
     default-roles-clients
     offline_access
     uma_authorization
  preferred_username svc-supermario
  given_name service
  family_name supermario
  email svc-supermario@supermario.com
}

I tried two Vault roles for JWT:

{
    "role_type": "jwt",
    "user_claim": "sub",
    "groups_claim": "groups",
    "bound_audiences": "account",
    "bound_claims": { "iss": ["http://<keycloak>/realms/projects"] }
}

and

{
    "role_type": "jwt",
    "user_claim": "sub",
    "groups_claim": "groups",
    "bound_audiences": "account",
    "claim_mappings": {
        "/groups/1": "group"
    },
    "bound_claims": { "iss": ["http://<keycloak>/realms/projects"] }
}

Upon successful authentication, the Vault token returned looks like this:

{
    "request_id": "a33e27d3-a685-414c-0f3e-a49c1c33aba9",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": null,
    "wrap_info": null,
    "warnings": null,
    "auth": {
        "client_token": "hvs.CAESIIHHj0Vyz1ABOVPTdzw-iYdpTpPJQNMZXRoOEx0tzDs0Gh4KHGh2cy5BcW9Caml1TVhiRWQxYJrbjRHR1JMZ2E",
        "accessor": "zexjHrPMFYKTGAhhUdoZ9sCh",
        "policies": ["default"],
        "token_policies": ["default"],
        "metadata": {
            "group": "/supermario/users",
            "role": "default"
        },
        "lease_duration": 2764800,
        "renewable": true,
        "entity_id": "74b1e231-cd73-2db5-4b9e-f4d23461daa7",
        "token_type": "service",
        "orphan": true,
        "mfa_requirement": null,
        "num_uses": 0
    },
    "mount_type": ""
}

I’d like the group claim in the JWT to be mapped to the corresponding group in Vault, just like OIDC.

Thanks in advance!

Keycloak version: 24.0.5
Vault version: 1.17.2