Manage groups for oidc authentication

Hello community, I’m starting with vault and need some explanation with the groups feature.

I have configured the OIDC authentication with Keycloak, with that I have create 2 roles (admin and reader), then on vault I create 2 groups and the same name for the aliases.

A new entity was added when I have login, it take the role defined in keycloak (admin take admin role in vault), and when I inspected the entity there is no role attributed same for the groups, no members was added to groups.

Is it normal that nothing was specified for the entity?

image

1 Like

I would expect the members of a particular Identity Group to be populated after that member has logged in, at least that’s how it works with other OIDC systems in my experience.

Are you able to inspect a OIDC/JWT token being returned from Keycloak or generate an example claim? That might help narrow down the cause.

Also, I noticed the Token Claim Name uses dots instead of slashes as defined in Vault. I would assume you’d want those to be the same (i.e. Vault would be configured with groups_claim = resource_access.vault.roles). Is that expected in this case?

I think is correct with slashes in vault, when I replace slashes by dots, I get an authentication error.
image

And the token is like this:

Got it, that makes sense now. Thanks for providing the additional screenshots, those are helpful and I would agree your config there looks to be correct as far as I can tell.

Can you provide a little more info around the groups and aliases? The alias being the component I’m more interested. Does it have the correct accessor associated with it? And the name of the aliases matches “reader” or “admin” (all lower case as per your examples), correct?

How are you applying policy? Is that attached to the role or to the Identity Group? If it’s attached to the Identity Group are the group/role members getting the attached policy when they log in?

Also, what are you using for the user_claim on your OIDC role? I’m assuming you’re using email address or something similarly individual specific, is that accurate?

I have create a group admin and give it admin role. Same way for read group. With that I have mapped admin account (keycloak) with admin policies (vault), read account with read policies.

Aliases take the name of keycloak roles name.


And yes, I use email in user_claim