Hi there,
Is it possible to disable or remove the Roles text box from the OIDC login form?
When a user is presented with this, they are able to enter any role that exists within Vault and thus escalate the level of their access.
A simple example would for a user with access to Role-A could extend their access by putting in the text box Role-B. By doing this gaining access to path secrets/B
without authorisation.
The work around at this time seems to me to be to have a set of anti-roles wherein you have Role-B and a anti-Role-B with the same access path stanzas but where the permissions are all set to deny.
Thank you.
–
Stephen.