OIDC role to policy mapping

I’m using keycloak as the authentication provider for vault and I want my keycloak users to have policies inside of vault without touching vault.
Example:
Let’s say I’ve created a policy named “user” in vault and a group named “user” in keycloak. Now I would create a new user and add him into the user group and I want him to have the user policy in vault when he logs into vault.

The oidc guide shows something similar except that one needs to create a role per group and use it for the login. But this would mean that every user needs to know his role to use it for the login or least that the application that performs the login would need to know which role needs to be used. I don’t want to specify it beforehand. The policies of the user should be known after the login based on the group (or the keycloak roles) inside of keycloak.

1 Like

Hello Shryne,

Please, excuse me if I did not get your question right, but the way I understand is how to assign policies to users in OIDC without the users providing a specific role while logging in, correct?

The way i would setup this is by specifying default_role when configuring OIDC auth method. My config looks like :

vault write auth/oidc/config oidc_discovery_url="http://localhost:8080/auth/realms/marti_realm" \
    oidc_client_id="vault" \
    oidc_client_secret="1f4a63c1-3343-429e-bc06-7e1117001193" \
    default_role="default_role_in_vault" 

So every time the user logs in using OIDC, default_role is picked, you have to define the OIDC role named default_role_in_vault in Vault and its group claims should be used to determine the group membership.

Martin

1 Like

You are right. By using the groups_claim, I can assign the oidc groups to the vault groups. This way each user gets the policies I want them to have.

Thank you.