OIDC login ignores groups and roles

Vault
1

Hi,
I am using keycloak OIDC to authenticate with vault, I have successfully authenticated and assigned the default role, but when trying a different role, if the role is defined in vault it automatically given to the user although it is not defined in the group_claims.

My dev role :

vault write auth/oidc/role/dev allowed_redirect_uris="<REDIRECT_URL>" allowed_redirect_uris="<REDIRECT_URL>" user_claim="email" policies="dev" groups_claim="oidc-role"

My group definition:

vault write identity/group name="dev" type="external" policies="dev"         metadata=responsibility="Read K/V Secrets"

My group Alias:

vault write identity/group-alias name="dev" mount_accessor=<ACCESSOR_ID> canonical_id=<GROUP_ID>

The keycloak user id token containing group claims:

{
  "exp": 1648478015,
  "iat": 1648477715,
  "auth_time": 0,
  "jti": "9a2bab35-eba3-48c9-986b-797f9cd63d61",
  "iss": "<ISS>",
  "aud": "vault",
  "sub": "ace5c4fa-bf63-4e5c-b3d6-a440d10cfe3b",
  "typ": "ID",
  "azp": "vault",
  "session_state": "ff747738-0019-4cf8-8eb3-84c05889fa15",
  "acr": "1",
  "sid": "ff747738-0019-4cf8-8eb3-84c05889fa15",
  "email_verified": true,
  "name": "<NAME>",
  "preferred_username": "<USERNAME>",
  "given_name": "<GIVEN_NAME>",
  "oidc-role": [
    "test"
  ],
  "family_name": "<NAME>",
  "email": "<EMAIL>"
}

NOTE HERE THE GROUP CLAIMS IS DIFFERENT ALTHOUGH VAULT ALLOWS THE USER TO LOGIN WITH ROLE DEV

2

This is functioning as designed given the configuration you quoted.

It looks likely to be a mistake that you have included policies="dev" on auth/oidc/role/dev, as this means “give everyone logging in with this role the dev policy, regardless of what groups they are in”.

1 Like
3

I figured it out finally, as you said the policies argument should be removed from the role definition.