Tls cert authentication and token renewal

I’ve been using vault tls cert authentication for a good long while, but always in a situation where the client retains the logic cert/key for the duration of the transaction. Recently I was playing with some different workflows and I discovered that the api for /auth/token/renew-self and /auth/token/renewwhen used to renew a token issued from the tls cert auth backend REQUIRE that the client is in possession of a cert/key pair that is valid.

AFAIK this is the only backend which requires, what amounts to, re-authentication in order to renew an already issued token. Is this intentional? I can’t find any mention of this behavior in the documentation.

Presuming that this behavior is intentional can someone explain the rationale for this? Can we get some documentation updates to reflect this behavior?

It seems weird to me that I could authenticate with approle and pass off the token as a bearer credential to some other process and that token could be renewed as needed/allowed without also giving my approle secret to the subprocess, but if I want to do the same thing with tls cert authentication I cannot pass off the token and presume the subprocess can renew it regardless of the settings on the token, acl policy associated with it and configuration of the cert authentication backend.

TIA for any response

This is not the only auth method that has “re-authentication” requirements for renew - another example is LDAP, where renewal triggers an attempt to rebind to the LDAP server using the password that Vault stashed away internally at initial login.

I do agree with you, though, that this functionality is both inconsistent and severely under-documented.

Did you ever figure out any more information about this? I am looking to implement this in java.

I have a token which is created through cert auth, and I want to write the code to hit the renew self API to renew that token.

However, only with cert auth, it bugs out and does not let me do so. Do I need to provide the user crt and key? If so, do you know how to do that?

Yes. That is what the previous messages are discussing.

There’s nothing Vault-specific in that part - just however the language / library you’re working with supports TLS client certificates.

I see, so the TLS certificate wouldn’t be a header, right?

Rather it would be provided while fetching an HTTP Client in java?

@maxb Could you help on some pseudocode if I wanted to do this in java?