Userpass with @ in the username

jmls · August 6, 2020, 7:17am

It looks like the userpass system does not allow a “@” character in the username. This is at odds with other auth engines like ldap which does

curl -X PUT -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"policies":"default"}' http://127.0.0.1:8200/v1/auth/userpass/users/foo@baz.io

does not work - errors with “unsupported path”

however

curl -X PUT -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"policies":"default"}' http://127.0.0.1:8200/v1/auth/ldap/users/foo@baz.io

works just fine

Is this intentional or a bug ?

larryebaum · August 7, 2020, 5:17pm

I’d categorize this as intentional.

Some internal investigation shows the code regex that parses the userpass auth method inputs allow for alphanumeric, plus “_”, “-”, and “.” (underscore, hyphen and period). LDAP auth method is slightly different, perhaps to account for how different LDAP backends can be configured for what characters are permitted.

I’ll look to having some clarification added to the userpass documentation.

jmls · August 8, 2020, 10:06pm

is there any reason not to make it consistent with ldap ?

Topic		Replies	Views
Vault userpass with password '$' character is failing to authenticate using API Vault	0	264	April 22, 2020
Problem inserting values with backslashes in hashicorp vault Vault	0	644	January 24, 2024
Can Vault support upn sign-in? Vault	4	170	November 21, 2023
AD auth without password Vault	0	251	July 15, 2020
Vault web UI always says 403 permission denied on LDAP users Vault	2	1411	May 30, 2023

Userpass with @ in the username

Related topics