OIDC login ignores groups and roles

Hi,
I am using keycloak OIDC to authenticate with vault, I have successfully authenticated and assigned the default role, but when trying a different role, if the role is defined in vault it automatically given to the user although it is not defined in the group_claims.

My dev role :

vault write auth/oidc/role/dev allowed_redirect_uris="<REDIRECT_URL>" allowed_redirect_uris="<REDIRECT_URL>" user_claim="email" policies="dev" groups_claim="oidc-role"

My group definition:

vault write identity/group name="dev" type="external" policies="dev"         metadata=responsibility="Read K/V Secrets"

My group Alias:

vault write identity/group-alias name="dev" mount_accessor=<ACCESSOR_ID> canonical_id=<GROUP_ID>

The keycloak user id token containing group claims:

{
  "exp": 1648478015,
  "iat": 1648477715,
  "auth_time": 0,
  "jti": "9a2bab35-eba3-48c9-986b-797f9cd63d61",
  "iss": "<ISS>",
  "aud": "vault",
  "sub": "ace5c4fa-bf63-4e5c-b3d6-a440d10cfe3b",
  "typ": "ID",
  "azp": "vault",
  "session_state": "ff747738-0019-4cf8-8eb3-84c05889fa15",
  "acr": "1",
  "sid": "ff747738-0019-4cf8-8eb3-84c05889fa15",
  "email_verified": true,
  "name": "<NAME>",
  "preferred_username": "<USERNAME>",
  "given_name": "<GIVEN_NAME>",
  "oidc-role": [
    "test"
  ],
  "family_name": "<NAME>",
  "email": "<EMAIL>"
}

NOTE HERE THE GROUP CLAIMS IS DIFFERENT ALTHOUGH VAULT ALLOWS THE USER TO LOGIN WITH ROLE DEV

This is functioning as designed given the configuration you quoted.

It looks likely to be a mistake that you have included policies="dev" on auth/oidc/role/dev, as this means “give everyone logging in with this role the dev policy, regardless of what groups they are in”.

1 Like

I figured it out finally, as you said the policies argument should be removed from the role definition.