OIDC bound_claims not working if nested JSON

ttinkr · May 19, 2020, 7:08am

I am authenticating users to vault using the OIDC method…so far that works. Now I want to limit login permissions to certain groups and I tried using bound_claims for that. Problem is that it only works if bound_claims is a flat string, but not if bound_claims is itself JSON. The returned JSON object looks something like this:

"access": {
  "vault": {
    "roles": ["somerole"]
  }
}

The OIDC role config allows me to set this as a bound_claim which made me think it should work. But on login Vault does not match on the JSON, it always treats the value as a string or a list, even if vault read auth/oidc/role/somerole parses the JSON correctly as maps.

Do I have to customize my IDP so it does not return JSON in the claim or is there a way to make Vault parse the data?

Thanks!

martinssipenko · July 24, 2020, 10:03am

Hi,

Not sure if you still need this, but for others who might be looking for same answer:

If you check out source code of Vault you will find that bound_calims supports JSONPointer, so you need to set up your claims something like following:

"bound_claims": {
  "/access/vault/roles": "somerole"
}

Topic		Replies	Views
Oidc json pointer not working for a custom claim where the key is a url Vault	2	581	September 28, 2020
AD via OIDC groups claim Vault vault	3	609	August 4, 2021
Integrating Vault and Keycloak - JWT Vault	0	3567	August 12, 2019
JWT Authentication with Vault for Group-Based Policies Vault	0	44	July 23, 2024
OIDC without role Vault	8	819	November 10, 2020

OIDC bound_claims not working if nested JSON

Related topics