Vault UI OIDC login, Roles Text Box

Hi there,

Is it possible to disable or remove the Roles text box from the OIDC login form?

When a user is presented with this, they are able to enter any role that exists within Vault and thus escalate the level of their access.

A simple example would for a user with access to Role-A could extend their access by putting in the text box Role-B. By doing this gaining access to path secrets/B without authorisation.

The work around at this time seems to me to be to have a set of anti-roles wherein you have Role-B and a anti-Role-B with the same access path stanzas but where the permissions are all set to deny.

Thank you.


Stephen.