Hi.
I’m trying configure Vault with OKTA OIDC app.
I configured everything according to documentation:
with one exception.
I don’t have additional Authorization Server like in docs. I use Org Authorization Server and I can’t config additional claims.
I configured roles (default, admin), auth oidc, external group and I can login to Vault with Okta credentials, but one thing is strange. When I login to Vault i logs I see following entry:
{"@level":"debug","@message":"refreshing external group memberships","@module":"identity","@timestamp":"2022-12-19T11:22:20.605001Z","entity_id":"43568678-db44-7dc9-b20b-6d74c6f2b516","group_aliases":[{"mount_accessor":"auth_oidc_.....","name":"Everyone"}]}
I know that I have more groups, and one of them I want use for admin role, but it’s looks like Vault gets only first group from list or something in Okta ?
Do you have any idea for this ?
My role config:
The Vault OIDC integration does not auto create groups in Vault. You have to add the groups to Vault first, before Vault will then update their memberships based on the JWTs as people log in.
Hi
I know I prepared external group with name that is in Okta.
For example: # vault write identity/group name="vault-admin" type="external" policies="acl_vault_admin" metadata=responsibility="vault-admin" #vault write identity/group-alias name="vault-admin" mount_accessor="$OIDC_ACCESSOR" canonical_id="$GROUP_ID"
I know that I have this group in Okta, but Vault not recognise them.
Additional, when I configured vault with additional Authorization Server like in documentation, work as expected. This looks like issue witk ORG Authorization Server.
Since in this case the access token is returned along with id token, the access token can be used to get all user claims (all profile attributes and groups, if profile and groups scopes are passed).
The Access token can be sent as a bearer token in the authorization header of userinfo request i.e. POST ${baseUrl}/oauth2/v1/userinfo, where base URL will be https://{yoursubdomain}.okta.com or https://{yoursubdomain}.okta.com.
But I don’t understand how to use with Vault OIDC config.
There is also another big caveat you need to be aware of - if you’re using the org authorization server for everything, an evil administrator of any one of your apps, can capture and replay a token to any of your other apps, to impersonate that user.
I’m searching a little, and I think this is issue with Okta. I configured Vault with my dev okta ORG AS, similar config that I get from our production Okta account (I’m not a super admin) and working as expected, I see in debug Vault logs additional groups, but when I login from production Okta apps, there is only one group “Everyone” because it is default and anyone is this group. I wrote to OKta, we will see.
Coming back to correct this mistake of mine - the tokens do have the Okta client ID as aud, so long as everything is correctly verifying this, what I thought was a concern, isn’t.