OIDC policy not applied

tomerleib · November 26, 2019, 9:29am

Hi,

I’ve created a policy and used the following command to setup gmail role (followed the guide from here https://github.com/hashicorp/vault-guides/tree/master/identity/oidc-auth. But when users are logged in, they don’t get the policy applied and I need to manually attach the policy to their entities. How should I set it correctly so each new entity from Gmail will get the same policy?

Thanks

kalafut · November 26, 2019, 6:31pm

Hi. Can you paste your role definition here (sensitive data elided)?

tomerleib · November 26, 2019, 7:38pm

Sure, this also applies to the other thread with the CLI method that does not work

vault write auth/oidc/role/gmail \
    user_claim="sub" \
    bound_audiences=xxxxxxxxxx.apps.googleusercontent.com \
    allowed_redirect_uris=https://vault.mydomain.io/ui/vault/auth/oidc/oidc/callback \
    allowed_redirect_uris=https://vault.mydomain.io/oidc/callback
    policies=admin \
    ttl=1h

kalafut · November 26, 2019, 10:30pm

That looks reasonable, though I don’t see any localhost redirect uris which you probably need for the CLI. re: the policy question, which version of Vault are you using? I’m wondering if this (fixed) bug applies: https://github.com/hashicorp/vault-plugin-auth-jwt/pull/67

tomerleib · November 26, 2019, 11:15pm

Super!
Both issues fixed.

I thought that Google won’t allow the use of localhost in the authorized urls, turns out that it does and once used, the CLI worked.
I missed a backslash there, now the users are assigned the policy as it should.

Thanks for the help!