Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC should support Authorization,Token and Userinfo endpoints if well-known configuration endpoint is not present on provider #169

Open
pbhalera opened this issue Apr 23, 2021 · 1 comment
Open

OIDC should support Authorization,Token and Userinfo endpoints if well-known configuration endpoint is not present on provider #169

pbhalera opened this issue Apr 23, 2021 · 1 comment

Comments

@pbhalera
Copy link

While configuring OIDC provider i encounter that provider it doesnt expose /.well-known/openid-configuration endpoint. But it has all Authorization endpoint ,Token endpoint and Userinfo endpoint. But current implementation doesn't support it.

Can you please support to overwrite these endpoint in vault auth configuration
@ptrovatelli
Copy link

ptrovatelli commented Jan 23, 2024
edited
Loading

I agree. It seems that many parameters are missing. According the the documentation, https://developer.hashicorp.com/vault/api-docs/auth/jwt#configure we can configure a jwt auth backend with one (and only one) of

  • oidc_discovery_url
  • jwks_url
  • jwt_validation_pubkeys

When not using oidc_discovery_url, we need a way to provide all the needfull urls. I don't see how it could work right now although for now i'm stuck because of another issue when trying to configure oidc with jwks_url instead of oidc_discovery_url (#272)

Here's what a manual oidc configuration looks like when connecting from kibana to keycloak for example (it's with read only rest) :

            buttonName: "..."
            type: "oidc"
            issuer: "..."
            authorizationURL: "..."
            tokenURL: '...'
            userInfoURL: '...'
            jwksURL: '...'
            clientID: '...'
            clientSecret: "..."
            scope: '...'
            usernameParameter: '...'
            groupsParameter: "..."
            protocol: '...'
            kibanaExternalHost: "..."
            logoutUrl: "..."

We need at least:

Field name suggestion Field name in well-known url Comment
issuer issuer Missing. Could be skipped if same as boundIssuer but right now it doesn't seem to be the case: vault seems to have a separate entity for issuer field than what is configured as bound_issuer. See https://discuss.hashicorp.com/t/unable-to-create-provider-oidc-issuer-did-not-match-the-issuer-returned-by-provider-with-keycloak-idp/61851
authorization_endpoint authorization_endpoint Missing
token_endpoint token_endpoint Missing
jwks_url jwks_uri OK
oidc_client_id - OK but should be allowed when jwks_url is present. see #272 )
oidc_client_secret - OK
end_session_endpoint end_session_endpoint Missing
userinfo_endpoint userinfo_endpoint Missing. Would be a must have (it's an optional endpoint in openid connect standard)

Oidc workflow reminder (vault is the relying party)
openid connect

@ptrovatelli ptrovatelli mentioned this issue Jan 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pbhalera @ptrovatelli