Redirect to vault UI with a jwt token

Hanska · January 3, 2023, 2:48pm

Hi

For a project using vault I have to create my own “jwt” provider.
I’m using a python flask proxy in a first place, so the user can login to our own authentication plateform, once its done I’m getting a certain ticket that I put into a jwt in order to connect to the Vault.

If I take the “jwt” and put it by myself on the UI this way :

It works perfectly.

What I want to do is to automate this “copy-paste” of jwt.
I saw in the documentation a way to connect using curl post request by using a payload with the jwt but unfortunatly it’s not a " redirection".

Thus when I try to redirect my user to the adress " ```
https://127.0.0.1:8200/v1/auth/jwt/login



{"errors":["unsupported operation"]}

On the webpage


Does anyone has a solution about it ?

Have a nice week.

maxb · January 4, 2023, 6:33pm

I’m not sure there’s any way implemented to do this.

The supported way would be to use regular OIDC, where you have a JWT/OIDC auth method (they’re the same code, it just goes by two different names) configured with a role that is of role_type oidc.

A user would arrive at the Vault UI, and would click a “Sign in with OIDC” button, and be redirected to your configured OIDC identity provider - which would then redirect back, following the OIDC Authorization Code flow.

If you have a single sign-on solution that does not support OIDC, however, this won’t help you.

Hanska · January 5, 2023, 9:05am

Maybe there is a way to redirect someone with a vault-token in its header or something in order to log the user directly to the UI?

Do you have an idea on how does Vault makes the web authentication of a user on the UI?

maxb · January 5, 2023, 2:51pm

There is something a bit like this but as far as I know, it’s completely undocumented other than in a few PRs in the Vault repository, and according to Vault UI Auto-Login without Namespace · Issue #17355 · hashicorp/vault · GitHub still has issues which make it an incomplete solution.

My personal recommendation would be to try to do standard OIDC instead.

Hanska · January 6, 2023, 7:55am

Thanks for your answers, I will communicate those informations with my team.

Have a nice week-end.

Topic		Replies	Views
Problem getting OIDC to work with Azure in the UI - CLI works fine! Vault	9	2799	January 18, 2023
Using OIDC token for authenticating VAULT APIs Vault vault	1	587	February 8, 2022
Using OIDC as auth type connecting to Vault from CLI always shows the redirect url as localhost Vault	7	708	August 31, 2023
Unable to get a token from OIDC login flow (API only) Vault connect , vault , azure	8	1030	April 3, 2023
Jwt authentication Vault	2	1229	November 3, 2021

Redirect to vault UI with a jwt token

Related topics