Using Token Metadata in Policy Template

Vault
1

Hello,

First and foremost I’d like to thank the community for this wonderful secret service!

My Goal
I’m currently trying to work through a use-case in which I’m using Keycloak (and thus JWTs) to authenticate against different realms (multi-tenant). I configured my jwt backend to copy some claims to the metadata section, as I’d like to simply write a single policy which applies to all customers by using template variables which substitute a part of the resource path with metadata claim.

The Problem
However, I noticed I can only do this if I know the backend-id (since jwt metadata isn’t available in the identity metadata); however, since this is multi-tenant, and I’d like to prevent my provisioner to be able to create a policy for each tenant (as this could lead to my provisioner writing a policy which allows admin rights!

The solution?
But I also saw that , using /auth/token/lookup-self we see the metadata for my jwt, which looks as if there’s a way that I should be able to do this in my template as a substitution variable, without me actually having to know the auth backend. Not sure if anything like {{token.meta.claim}} exists or if anybody knows a workaround for this?

The hard alternative
If no such thing exists yet and there are no alternatives, I’m willing to give it a go by implementing it and posting a PR, but I’m not sure if this is allowed or if anybody see value in this use-case?

Kind regards,
UXabre

1 Like
2

I was looking for a very similar use case, with a couple exceptions:

  • I know my auth method accessor
  • I have multiple aliases from the same auth method accessor tied to a single entity
  • When using {{identity.entity.aliases.auth_jwt_abcdef12.metadata.meta_key}} it returns the value from the first alias in the entity’s alias map, not the value from the alias that generated the token.
  • I figured a workaround would be something similar to what OP has suggested, making a policy templating value available where {{token.meta.meta_key}} could be referenced safely assuming all auth methods were managed solely by the administration team or measures were taken using allowed_parameters in a delegation model.

Anyway it doesn’t seem like it’s available, and it would certainly fill at least two use cases.

3

Hi @stuartpurgavie1 and thank you for your response!

Meanwhile I have created a PR on this subject, perhaps you can take a look and see if anything needs to be added?

Kind regards!