Why Authentication using OIDC?
Authentication is very important, we need to authenticate users who would like to execute operations in vault. Such as signing SSH certs, retrieving KV pairs, and other management operations that can be extremely dangerous if accessed by an unauthorized individual. OpenID Connect (OIDC) is
Install Authentik
Docker Compose installation | authentik
Here are two helpful videos, you can set up Authentik easily in less than 10 minutes with Docker or Kubernetes. For a production environment, you will want to enable high availability and take backups.
Secure authentication for EVERYTHING! // Authentik
(99) Configure OIDC access to Vault in Less than 10 Minutes! – YouTube
1. Create Provider & App in Authentik
First steps will be creating a provider and application inside of Authentik, this allows
2. Enable OIDC In Vault
Integrate with Hashicorp Vault | authentik
Once you have set up your Authentik server and created an admin user, you are now ready to enable OIDC in Vault.
vault auth enable oidc
vault write auth/oidc/config \
oidc_discovery_url=”https://authentik.company/application/o/<application_slug>/” \
oidc_client_id=”Client ID” \
oidc_client_secret=”Client Secret” \
default_role=”reader” \
jwt_supported_algs=”RS256,ES256″
Create Admin Role & Policy
# Admin policy granting full access
path “*” {
capabilities = [“create”, “read”, “update”, “delete”, “list”, “sudo”]
}
vault policy write admin admin-policy.hcl
Create OIDC admin role
vault write auth/oidc/role/admin \
user_claim=”sub” \
bound_audiences=”YOUR_CLIENT_ID” \
allowed_redirect_uris=”https://vault.example.com/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=”https://vault.example.com/oidc/callback” \
allowed_redirect_uris=”http://localhost:8250/oidc/callback” \
token_policies=”admin” \
ttl=”1h”
Next Steps
The implementation is very simple. Feel free to create OIDC providers in authentic to provide authentication and SSO in your other services.
Leave a Reply