OIDC - Email not Populating

ia-mfriegang · October 24, 2022, 5:43pm

I am using Duo OIDC to authenticate to Vault. It all seemed to be working fine, but I rebuilt the server with the same settings and now the email on the OIDC flow defaults to “None”. Before, this had automatically filled in the user’s email address from Duo. As far as I can tell, the configuration looks to be the same as it was before when it was working.

I can fill in the email and use the auth method just fine, but it was much easier when it auto populated the email for me. Does anyone know how Vault finds this piece of information and passes it to the OIDC flow?

My Vault OIDC Role config looks like this

Key                        Value
---                        -----
allowed_redirect_uris      [https://vault-3.local:8200/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback https://vault.local:8200/ui/vault/auth/oidc/oidc/callback https://vault-1.local:8200/ui/vault/auth/oidc/oidc/callback https://vault-2.local:8200/ui/vault/auth/oidc/oidc/callback]
bound_audiences            []
bound_claims               map[]
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               email
max_age                    0
not_before_leeway          0
oidc_scopes                [openid profile email]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default]
token_ttl                  0s
token_type                 default
user_claim                 email
user_claim_json_pointer    false
verbose_oidc_logging       true

And this is what it looks like when I try to sign in with Duo

I’ve tried tweaking some of the mapping in Duo, but that didn’t seem to help. I am basically just using the “Username” attribute for everything. In the logs I can see the username and email coming through in the token just fine. It seems that Vault just isn’t recognizing that the email is an email address perhaps. I also downgraded from vault 1.12.0 to the version before that, but it didn’t seem to make a difference.

Here is a sanitized version of the token returned by Duo:

claims="{\"Username\":\"<my username>\",\"at_hash\":\"<redacted>\",\"aud\": \"<redacted>\",\"auth_time\":1666633849,\"email\":\"<my email>\",\"exp\":1666634153,\"iat\":1666633853,\"iss\":\"https://sso-<redacted>.sso.duosecurity.com/oidc/<my duo endpoint>\",\"sub\":\"<redacted>\",\"user\":\"<my username>\"}"