Jwt authentication

Dear Vault community,

I am trying to integrate our vault test environment with a test keycloak installation. My goal is to authenticate to vault using a keycloak jwt token. I am not an expert on jwt authentication in general hence I may have had things mixed…

Steps to setup the environment below:

Create keycloak client

Enable jwt authentication in vault

vault auth enable -path=kc jwt

Setup the jwt auth method

vault write auth/kc/config \
    oidc_discovery_url="https://auth-tds.mydomain.local/auth/realms/xxx" \
    oidc_client_id="poc_auth" \
    oidc_client_secret="mysecret" \

Authenticate to keycloak to get token. Inspect the token for the sub, aud fields

Setup vault role

vault write auth/kc/role/test \
    role_type=jwt \
    bound_subject="97516847-fd75-4220-9d9c-0da0707f2200" \
    bound_audiences="account" \
    user_claim="aud" \
    policies="my-test-policy" \

Authenticate against vault using the keycloak jwt token generated in the previous step

vault write auth/kc/login role=test jwt=...

This last step gives me the following output:

Error writing data to auth/kc/login: Error making API request.

URL: PUT https://my-vault.local/v1/auth/kc/login
Code: 500. Errors:

* unhandled case during login

I would appreciate any insight of what am I doing wrong and how to move forward and be able to authenticate to vault using my keycloak jwt token.

thank you

You seem to be mixing OIDC and JWT based logins with your config. Most other KeyCloak configs discussed in the forums here appear to be of the OIDC type.

Not sure if you’ve searched for similar issues but this thread might provide some insight for you: Error Authenticating: Unable to authorize role OIDC - #4 by martinhristov90

yes, you are right, the jwt authentication method configuration was simpler to what I was doing:

this worked for me

vault write auth/kc/config \
    oidc_discovery_url="https://auth-tds.mydomain.local/auth/realms/xxx" \
    bound_issuer="https://auth-tds.mydomain.local/auth/realms/xxx" \