OAuth 2.0 Authorisation with Vault

We have a requirement where we would like to use HashiCorp Vault as an Authorisation Server to provide and validate OAuth 2.0 (bearer) tokens.

Does Vault provides any auth APIs to perform this?

Hi,

The closest thing built into Vault is probably Identity tokens. If a user/application authenticates to Vault, they can request an Identity token (https://www.vaultproject.io/docs/secrets/identity/index.html#identity-tokens), which is time-bound JWT that has some templating capabilities. These token can be verified independently by a resource server using Vault’s public keys, or by asking Vault to verify them via the introspection endpoint (OAuth compliant).

Jim

Thanks for the response Jim.

You have mentioned - “Vault to verify them via the introspection endpoint (OAuth compliant).”

Does Vault provide OAuth2 compliant introspection endpoints?

Hi,

Yes, that could have been clearer. Identity token introspection complies with https://tools.ietf.org/html/rfc7662.

Regards,
Jim