Oidc json pointer not working for a custom claim where the key is a url

Vault
1

Hi Vault team,

We are connecting auth0 and vault using jwt tokesn and the oidc auth provider.

Auth0 enforces custom claims to be namespaced under a url, the jwt toke will have:

"https://acme.com/iam": {
	"policy": "foo"
}

The role in oidc is then configured to use a bound claim to match the jwt token:

vault write auth/oidct/role/foo -<<EOF
    {
      "allowed_redirect_uris": "http://localhost:8250/oidc/callback,https://vault.acme.comt:443/ui/vault/auth/oidc/oidc/callback",
      "role_type": "oidc",
      "ttl": "1h",
      "user_claim": "sub",
      "bound_audiences": "ailoguydfufgaekmwrhtkwljrth",
      "bound_claims": { 
        "/https:~1~1acme.com~1iam/policy": "foo"
      },
      "policies": "foo_policy"
    }
    EOF

We then try to login using the foo role:

vault login -method=oidc -path=oidc role=foo

and get the following error:

* error validating claims: claim "/https:~1~1acme.com~1iam/policy" is missing

We have also created another oidc role that uses a claim that doesn’t requires a json pointer and it works as expect.

Can you help us understanding if there is some issue with the json pointer?

Regards

2 Likes
2

Hi. Your json pointer looks correct: https://play.golang.org/p/G5E0sGruZ6H

You might want to check if the JWT you’re getting is definitely what you’re expecting by enabling verbose_oidc_logging, which will dump all received token data to the log.

Also, check the logs for the warning associated with:

	logger.Warn(fmt.Sprintf("unable to locate %s in claims: %s", claim, err.Error()))

If everything looks correct and is still not working, feel free to file an issue in https://github.com/hashicorp/vault-plugin-auth-jwt

Thanks
Jim

3

All seems good with the json pointer.

Amidst a lot of confusion, it turned out to be that jwt and oidc can’t be used in the same mount point.

There is already an issue for it at: https://github.com/hashicorp/vault-plugin-auth-jwt/issues/72

The documentation sends the user in a direction that seems to be possible to have both in the same mount point. It would help a lot new users if it was in documentation saying that from version X is not possible to use the same mount point for jwt and oidc.

Thank you for the help.