While using OIDC, i want to Map user entity id to Identity Provider email

DeanVaturiTS · April 18, 2023, 10:40am

Hi all,
as i was trying to configure oidc role as such, i was not able to see my users entity emails.
i am sure you know its hard to identify users by entity id.

vault write auth/oidc/role/oidc_default \
    allowed_redirect_uris="http://localhost:8250/oidc/callback,http://localhost:8200/oidc/callback,https://banana.com/ui/vault/auth/oidc/oidc/callback,https://banana.com/oidc/callback" \
    user_claim="sub" \
    policies="oidc_default" \
    verbose_oidc_logging="true" \
    groups_claim="groups" \
    oidc_scopes="openid email"

is there a way to change the way vault is working and to tell it to show user names or email addresses?

thanks.

maxb · April 18, 2023, 11:18am

I believe you can use claim_mappings JWT/OIDC - Auth Methods - HTTP API | Vault | HashiCorp Developer to have Vault capture information from the OIDC token and store it in metadata … however I don’t think there’s any way to get Vault to show that information in places in the UI where it would be useful, like lists of entities.

I’d probably resort to a script which periodically used the Vault API to update the names of automatically created Vault entities to more useful meaningful ones.

Topic		Replies	Views
Map user entity id to Identity Provider email when using OIDC Vault vault	1	662	January 8, 2023
OIDC claim_mappings will not override 'name' nor store it in metadata Vault	2	1580	April 15, 2020
Oidc providers and entity lookup Vault	0	244	March 20, 2022
OIDC Provider Scope Templating Vault vault	3	1507	April 18, 2022
Identity entity must be associated with the request Vault	6	538	January 18, 2023

While using OIDC, i want to Map user entity id to Identity Provider email

Related topics