Vault JWT auth with static keys

Avatar
Owen Zhang
  • Updated

 

The JWT authentication method can be used to authenticate with Vault using OIDC or by providing a JWT. JWT signatures will be verified against public keys from the issuer. This process can be done in following three different ways. Here are all the three different methods to configure JWT authentication method, though only one method may be configured for a single backend:

  1. Static Keys: A set of public keys is stored directly in the backend configuration.
  2. JWKS: A JSON Web Key Set (JWKS) URL (and optional certificate chain) is configured. Keys will be fetched from this endpoint during authentication.
  3. OIDC Discovery: An OIDC Discovery URL (and optional certificate chain) is configured. Keys will be fetched from this URL during authentication. When OIDC Discovery is used, OIDC validation criteria (e.g.iss,aud, etc.) will be applied.

Static Keys method is considered to be easier way, this article is going to cover how to set up Vault JWT auth method with static keys. There is another JWT related article about Vault JWT authentication with OIDC Discovery.

 

1. Enable JWT auth method

$ vault auth enable jwt

2. Create a policy that will later be attached to a JWT role configuration

$ vault policy write metrics -<<EOF
path "sys/metrics*" {
capabilities = ["read", "list"]
}
EOF

3. Create or use existing public and private keys, from demonstration purpose, we will create a set of new keys with openssl  

$ openssl genrsa -out private_key.pem 2048
$ openssl rsa -in private_key.pem -outform PEM -pubout -out public_key.pem

4. Configure JWT auth method with jwt_supported_algs=RS256 and public key

$ vault write auth/jwt/config jwt_supported_algs=RS256 jwt_validation_pubkeys=@public_key.pem

5. Create a JWT auth role test-role

$ vault write auth/jwt/role/test-role \
policies="metrics" \
user_claim="sub" \
role_type="jwt" \
bound_audiences="test"
  • policies(array: [] or comma-delimited string: "")- List of token policies to encode onto generated tokens.
  • user_claim(string: <required>)- The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string.
  • role_type(string: <optional>)- Type of role, either "oidc" (default) or "jwt".
  • bound_audiences (array: <optional>) - List of aud claims to match against. Any match is sufficient. For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims or token_bound_cidrs is required. Optional for "oidc" roles.

6. Go to jwt.io, change Algorithm from HS 256 to RS 256; Nothing need to be changed from HEADER section; Update "PAYLOAD" data with current "iat" epoch with https://www.epochconverter.com/; Another option is to add another "exp", token expire parameter to a future date. Finished PAYLOAD data should looks like this: 

{
"aud": "test",
"name": "John Doe",
"iat" : 1605166067,
"exp": 1711815237,
"sub": "sub"
}

7. Lastly, copy public key from pubkey_key.pem and private key from private_key.pem into appropriate "VERIFY SIGNATURE" section. After finishing with pasting public and private keys, please make sure that the status for JWT is Signature Verified

mceclip0.png

8. Create a Vault token, copy the JWT string from above Signature Verified and use it for login endpoint on CLI or Vault UI:

$ vault write auth/jwt/login role=test-role jwt=eyJhbGciOiJSUzI1Nxxxxxxxxxxxxxxxxxxx
Key Value
--- -----
token hvs.CAESINMXK0laiZl77W20HPlzwRdPDwxG3vexs70QJqwBxidDGiEKHGh2cy5lZTlRWjFJdDZWWWltSGR3ZkhGbGlCQUsQoQQ
token_accessor YQvLsWj4Cuj4nHKJbyOeS63a
token_duration 768h
token_renewable true
token_policies ["default" "metrics"]
identity_policies []
policies ["default" "metrics"]
token_meta_role test-role

 

Side note: Other than generate JWT with jwt.io, another alternative option to generate JWT token is to use this site, its process very similar to what jwt.io has to offer. For more information about the structure of JWT token, please refer to this article

 

Related documentation references:

Articles in this section

See more

Related articles