OIDC user not getting policy from group

Hello everybody,

I am trying to setup OIDC for our environment. I am at a point where I can login using OIDC, but the token that is created does not get the policies I want.

Here is how I setup OIDC:

$ vault policy write superuser superuser-policy.hcl
$ vault write identity/group name=vault-admins policies=superuser
$ vault auth enable oidc
$ vault write auth/oidc/config oidc_discovery_url="REDACTED" oidc_client_id="REDACTED" oidc_client_secret="REDACTED" default_role=default
$ vault write auth/oidc/role/default role_type=oidc allowed_redirect_uris="https://REDACTED/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback,http://localhost:8200/ui/vault/auth/oidc/oidc/callback" user_claim=email oidc_scopes=profile groups_claim=groups policies=default verbose_oidc_logging=true

I can login using OIDC, and I can see this in the log:

2022-05-23T20:36:42.635Z [DEBUG] identity: refreshing external group memberships: entity_id=56c042ac-44de-5ff2-7ee4-220e21d2cfb4 group_aliases=["mount_accessor:\"auth_oidc_dfa5a3ac\"  name:\"vault-admins\""]

So it seems Vault can see that I am a member of the vault-admins group. I would have expected the superuser policy to be attached to the newly created token, but it is not:

$ vault token lookup REDACTED
Key                 Value
---                 -----
accessor            pkJCPcV7IdrvaYfVpNFe2108
creation_time       1653338202
creation_ttl        768h
display_name        REDACTED
entity_id           56c042ac-44de-5ff2-7ee4-220e21d2cfb4
expire_time         2022-06-24T20:36:42.648476291Z
explicit_max_ttl    0s
id                  REDACTED
issue_time          2022-05-23T20:36:42.648484951Z
meta                map[role:default]
num_uses            0
orphan              true
path                auth/oidc/oidc/callback
policies            [default]
renewable           true
ttl                 767h46m52s
type                service

What am I doing wrong?

Thanks a lot in advance for your help!

You are missing two bits of configuration:

  • The group itself needs to be type=external to tell Vault its membership comes from an external source
  • The group needs to be explicitly linked to a particular auth method, with something Vault calls a “group alias”

Creation of a group alias looks like this:

vault write identity/group-alias \
  name=(name of the group in the remote system, which doesn't have to be the same as the group name in Vault) \
  canonical_id=(the UUID that Vault assigned to the group when you created it) \
  mount_accessor=(a string ID for the auth method, you can see these with 'vault auth list')
1 Like

Hi @maxb ,

All right, thanks a lot! I will try what you suggested.

Many thanks!

Hi @maxb ,

I did what you said it works! Thanks a lot! I just would like to have confirmation on one thing. When I vault lookup the token I get after login via OIDC, I can see the following:

identity_policies              [superuser]
policies                       [default]

So the identity_policies lists the policies that are applied to the token through the login method? What is it exactly?

Thanks a lot!

Vault has two ways of connecting policies to tokens:

  • Identity policies are assigned to an identity group or identity entity, and the token contains an entity ID linking it to the entity. These are configured via the identity/... paths in Vault.

  • Token policies are assigned directly to the token when it is created, by the auth method. These are configured via the auth/<methodname>/... paths in Vault.

Token policies came first, and although many parts of the API have been updated to refer to them as token_policies, some places still use the old policies naming.

1 Like

Hi @maxb,

All right, thanks a lot for these explanations, that’s very useful!