Vault UI OIDC login, Roles Text Box

Hi there,

Is it possible to disable or remove the Roles text box from the OIDC login form?

When a user is presented with this, they are able to enter any role that exists within Vault and thus escalate the level of their access.

A simple example would for a user with access to Role-A could extend their access by putting in the text box Role-B. By doing this gaining access to path secrets/B without authorisation.

The work around at this time seems to me to be to have a set of anti-roles wherein you have Role-B and a anti-Role-B with the same access path stanzas but where the permissions are all set to deny.

Thank you.


Stephen.

Is letting the user specify the role a feature of vault when run in development mode?

Letting the end user specify whatever role they want is useless, so we must be missing something pretty obvious.

I thought the roles would be defined for the user by the identity provider.