Using vault for generating authentication message with option to verify and revoke

My use case is as follows:
I have n people that are authenticated with Vault (using different providers). Now I’d like all of them to be able to access an API endpoint (which is behind haproxy) and I’d like everyone who has policy x in Vault to be able to access this endpoint.

The solution I was thinking about is to setup an API shield on haproxy, which is trivial, and I thought I could one of the Vault secrets engine to generate something like JWT although I understand that Vault cannot do that. JWT by definition has payload that allows the server to verify the identity although I don’t necessarily need it, thus my authentication message doesn’t need to contain any payload. What it needs though is for the server to know that the authentication message was indeed generated by Vault and/or the message is still valid (it could either be short-lived with a timestamp or long lived with possibility to revoke.

For instance, Vault’s Transit secret engine allows to generate JWS but there are three problems that arise (correct me if I’m wrong):

  1. User who signs the message can input arbitrary payload
  2. Vault doesn’t expose public keys anywhere conveniently for server to validate the signature
  3. The signing certificate is shared between all entities and thus irrevocable for a single entity

Any ideas?

1 Like