OIDC policy not applied


I’ve created a policy and used the following command to setup gmail role (followed the guide from here https://github.com/hashicorp/vault-guides/tree/master/identity/oidc-auth. But when users are logged in, they don’t get the policy applied and I need to manually attach the policy to their entities. How should I set it correctly so each new entity from Gmail will get the same policy?


Hi. Can you paste your role definition here (sensitive data elided)?

Sure, this also applies to the other thread with the CLI method that does not work

vault write auth/oidc/role/gmail \
    user_claim="sub" \
    bound_audiences=xxxxxxxxxx.apps.googleusercontent.com \
    allowed_redirect_uris=https://vault.mydomain.io/ui/vault/auth/oidc/oidc/callback \
    policies=admin \

That looks reasonable, though I don’t see any localhost redirect uris which you probably need for the CLI. re: the policy question, which version of Vault are you using? I’m wondering if this (fixed) bug applies: https://github.com/hashicorp/vault-plugin-auth-jwt/pull/67

Both issues fixed.

  1. I thought that Google won’t allow the use of localhost in the authorized urls, turns out that it does and once used, the CLI worked.
  2. I missed a backslash there, now the users are assigned the policy as it should.

Thanks for the help!

1 Like