Vault has the ability to be an OIDC provider, as well as having an OIDC auth engine for authenticating using tokens from other providers. My question is fairly simple, can Vault act as it’s own IdP for OIDC auth (i.e. an OIDC auth engine configured to use Vault’s own OIDC provider)? Is this even a supported configuration?
We’ve got an application and want users to authenticate with Vault to use it, for which Vault’s OIDC provider works fine. However, our application also needs to do some operations in Vault, and rather than giving the application its own credentials, we want it to use those of the logged-in user to avoid privilege escalation. Unfortunately, the OIDC provider only returns a batch token, rather than anything which could be used to make additional calls to Vault, so a different option is needed.