Hello,
I have set up so my web application authenticates through Vault ( OIDC). And I can successfully get id_token. My question is: Is it possible to use that token to read secrets on Vault?
No, an OIDC id_token is a signed assertion of a user’s identity. It is different from the Vault tokens used to authenticate requests to the Vault API.
Thank you for the answer. Is it possible to request that feature?
Please could you explain in more detail what you want to achieve?
Using an OIDC id_token to access the Vault API directly does not really make sense in the existing architecture of Vault and OIDC.
So basically my goal is to build a few microservices that can read user secrets from the vault. So at the moment, I can think of two approaches:
The first approach is that I can authenticate the user myself and then ask him to provide me somehow their vault token. I’m not too fond of this approach because of the user experience.
The other approach is building my authentication system on top of Vault and wrapping the token in my own JWT. I am ok with this option even if it does not feel right, but I would prefer not to maintain all authentication methods that Vault provides.
So that is why I would like my application to use OpenID to authenticate users through Vault. If this scenario does not fit in Vault architecture I respect that.
You say “microservices” - what does this mean? REST APIs? Web UIs? Something else?
Please describe in more detail, exactly how a user interacts with Vault and your services, with respect to how the authentication works.
I think the core problem here is that OIDC is explicitly designed to allow a user to use an account in one system (Vault) to prove their identity to another system (your microservice), WITHOUT giving your microservice access to the user’s Vault data … except that’s exactly what you now want.
I used the word microservices because it shouldn’t matter if my application is a desktop app, web UI, REST API, etc. because the OIDC standard supports them all. That being said my apps are all Web UI.
My idea is there are some secrets that I store in the vault and services use (read/modify) those secrets. And you exactly understood my problem I would like the option that the user can give access to the Vault data (all or part of them) to my services.
At the moment Vault doesn’t support any simple solution to this problem. I am happy to use some different protocols if this use case does not fit with the current OIDC. But I would like to see this feature in the future.