OIDC Auth Flow missing policies on the token

matifali · October 11, 2023, 2:24pm

A noob question. Does authenticating with the vault using the OIDC from my app allow me to fetch a vault token that can be used to fetch secrets?
What I noticed is that the token I get through OIDC flow is missing the policies while if I directly login into the vault using the same auth method I have the correct token.
for example

The token I get through OIDC Auth flow

vault token lookup hvb.AAAAAQIIT5aVa6mPX_CtY2vFWYn84CKLViM00Rt-SKFqyRM3be8RQwdDncoKGxvlRdSl7EZDG794oH4ZLwuDwP8GCfx5XQR7zDYNp-r8ikeUPxaBmsgEUKVS_kJO1vZaC3uLCZCJ7sKgZMVOqnwiksk-yl2q_BP_Vkd94dgNWKeVU_aZB5FHacHTgxdV0N7KL6Ya7FV45dVjZoo9vyM68udR4YpAdUbv55nq-_ZzNyIONwT3Ymk1VIeY3DYV6jO1DsQO59yPxqxO_HmuMG2KqnLS3ddsjThy-f-Q0kXf4ZBEYsXhHj5GJqi2qcOEYsMrqbhNIVBVNPSj20loZdv3-ArlWnC-5AYzeIeyOZ-R37z-dUDubVw3bkLcUET15MGeAm-iKhA4bCgPJuepxa2S72fA_WH2Zmh5YIoDH5HG
Key                 Value
---                 -----
accessor            n/a
creation_time       1696933650
creation_ttl        24h
display_name        n/a
entity_id           0c32a1c0-145b-1455-4af6-929cd50d4672
expire_time         2023-10-11T10:27:30Z
explicit_max_ttl    0s
id                  hvb.AAAAAQIIT5aVa6mPX_CtY2vFWYn84CKLViM00Rt-SKFqyRM3be8RQwdDncoKGxvlRdSl7EZDG794oH4ZLwuDwP8GCfx5XQR7zDYNp-r8ikeUPxaBmsgEUKVS_kJO1vZaC3uLCZCJ7sKgZMVOqnwiksk-yl2q_BP_Vkd94dgNWKeVU_aZB5FHacHTgxdV0N7KL6Ya7FV45dVjZoo9vyM68udR4YpAdUbv55nq-_ZzNyIONwT3Ymk1VIeY3DYV6jO1DsQO59yPxqxO_HmuMG2KqnLS3ddsjThy-f-Q0kXf4ZBEYsXhHj5GJqi2qcOEYsMrqbhNIVBVNPSj20loZdv3-ArlWnC-5AYzeIeyOZ-R37z-dUDubVw3bkLcUET15MGeAm-iKhA4bCgPJuepxa2S72fA_WH2Zmh5YIoDH5HG
issue_time          2023-10-10T10:27:30Z
meta                map[oidc_token_type:access token]
num_uses            0
orphan              true
path                oidc/provider/coder/token
policies            <nil>
renewable           false
ttl                 22h49m30s
type                batch

The token by logging into vault Web UI using the the same google account

vault token lookup hvs.CAESIPq6rRFj4BiEm0RsjTC8fg9ztj1SrlCi4gwOB9bzdYSzGh4KHGh2cy5zMWNmU3J0bzJhVm9hNldPVWg4YXFFSzk
Key                            Value
---                            -----
accessor                       rgmObW1pgxtKNF8ZcIVgMB3D
creation_time                  1696875781
creation_ttl                   24h
display_name                   oidc-REDACTED
entity_id                      0c32a1c0-145b-1455-4af6-929cd50d4672
expire_time                    2023-10-10T18:23:01.80987704Z
explicit_max_ttl               0s
external_namespace_policies    map[]
id                             hvs.CAESIPq6rRFj4BiEm0RsjTC8fg9ztj1SrlCi4gwOB9bzdYSzGh4KHGh2cy5zMWNmU3J0bzJhVm9hNldPVWg4YXFFSzk
identity_policies              [default google vault-admins]
issue_time                     2023-10-09T18:23:01.809886628Z
meta                           map[email:REDACTED name:REDACTED role:google sub:REDACTED]
num_uses                       0
orphan                         true
path                           auth/oidc/oidc/callback
policies                       [default google]
renewable                      true
ttl                            6h44m29s
type                           service

Topic		Replies	Views
Vault as OIDC Provider Access Token Issue Vault vault	5	584	October 12, 2023
OIDC user not getting policy from group Vault	5	641	May 25, 2022
Read secrets with client id token (OIDC) Vault vault	6	305	June 12, 2022
Using OIDC token for authenticating VAULT APIs Vault vault	1	579	February 8, 2022
Vault + oidc = missing secrets Vault	4	360	December 28, 2021

OIDC Auth Flow missing policies on the token

Related topics