MFA with OIDC auth - configuration of .../authorization.oauth2?acr_values=xxyyzz

rolszewo · March 3, 2021, 1:55pm

using vault version 1.6.1

following is configured:
config:

vault read auth/oidc/config
Key                       Value
---                       -----
bound_issuer              n/a
default_role              nothing
jwks_ca_pem               n/a
jwks_url                  n/a
jwt_supported_algs        []
jwt_validation_pubkeys    []
namespace_in_state        true
oidc_client_id            xyzxyzxyz
oidc_discovery_ca_pem     n/a
oidc_discovery_url        https://sso.company.com
oidc_response_mode        n/a
oidc_response_types       []
provider_config           map[]

role

vault read auth/oidc/role/nothing
Key                        Value
---                        -----
allowed_redirect_uris      [https://test.service.vault-test.local.net/ui/vault/auth/oidc/oidc/callback]
bound_audiences            <nil>
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               n/a
not_before_leeway          0
oidc_scopes                <nil>
policies                   [nothing]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [nothing]
token_ttl                  0s
token_type                 default
user_claim                 sub
verbose_oidc_logging       false

OIDc login is working like expected.

Now i want to configure MFA (MultiFactorAuth), which should be done just by appending “acr_vaulues=…” to OAuth 2.0 Authorization URL like this:
https://sso.company.com/as/authorization.oauth2?acr_values=SomeSpecificValue

How can i achieve this?

I did not find a possibility to configure this in a specific way.
Found no configuration option for OAuth 2.0 Authorization endpoint.
May this can be done via “provider_config”? And how would be the syntax?

rolszewo · March 10, 2021, 3:56pm

Anybody out here, who can help?

eliasp · March 21, 2021, 11:53pm

After quite some digging with my limited Go knowledge through the Vault and hashicorp/cap sources, I come to the conclusion that this might be not supported yet, although some parts to allow defining ACR values are already in place.

Vault uses the hashicorp/cap Go module for handling all the OIDC-related details.

oidc.Request has an ACRValues() attribute:

  // ACRValues() optionally specifies the acr values that the Authorization
  // Server is being requested to use for processing this Authentication
  // Request, with the values appearing in order of preference.
  //
  // NOTE: Requested acr_values are not verified by the Provider.Exchange(...)
  // or Provider.VerifyIDToken() functions, since the request/return values
  // are determined by the provider's implementation. You'll need to verify
  // the claims returned yourself based on values provided by you OIDC
  // Provider's documentation.
  //
  // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
  ACRValues() []string

The oidc.Provider implementation clearly shows what happens with provided ACRValues - they’ll get appended to the authorization URL:

	if len(oidcRequest.ACRValues()) > 0 {
		authCodeOpts = append(authCodeOpts, oauth2.SetAuthURLParam("acr_values", strings.Join(oidcRequest.ACRValues(), " ")))

While I first assumed, it would be just about Vault itself providing ACRValues to the instantiated oidc.Request object, it seems to be a little more complicated, as Vault doesn’t use hashicorp/cap directly, but does so indirectly via vault-plugin-auth-jwt.

But as vault-plugin-auth-jwt is responsible for handling the provider_config through a map[string]interface{} pattern.

The actual instantiation of the oidc.Request happens in path_oidc.go, to which option is passed, which is used in oidc.Request to set ACRValues.

AFAICT the following would have to be done:

add a “generic” provider to ProviderMap, as my understanding is that provider_config can be only processed when there’s a corresponding custom provider.
add an acr_values field to the “generic” custom provider’s fields which is then part of the provider_config in pathConfig
append ACRValues to options in createOIDCRequest
by pulling it from config.ProviderConfig if present
write tests

So far so good - can anyone with more Go/Vault/OIDC knowledge confirm whether I’m roughly right on this?

rolszewo · June 29, 2021, 12:49pm

we did not find a solution going this way, but got a solution by oidc provider now.