Thejwtauth method can be used to authenticate with Vault using OIDC or by providing a JWT. This process can be done in following three different ways, this article is going to cover how to set up Vault JWT auth method with OIDC Discovery URL utilize Azure Active Directory.
- Static Keys:A set of public keys is stored directly in the backend configuration.
- JWKS:A JSON Web Key Set (JWKS) URL (and optional certificate chain) is configured. Keys will be fetched from this endpoint during authentication.
- OIDC Discovery: An OIDC Discovery URL (and optional certificate chain) is configured. Keys will be fetched from this URL during authentication. When OIDC Discovery is used, OIDC validation criteria (e.g.
iss,aud, etc.) will be applied.
Step 1. Enable JWT authentication method, configure it with OIDC Discovery URL, the endpoint URL oidc_discovery_url for Azure active directory will look like: oidc_discovery_url="https://login.microsoftonline.com/{tenant_id}/v2.0". {tenant_id}can be found from Azure Active Directory, Overview tab
vault auth enable jwt
vault write auth/jwt/config \
oidc_discovery_url="https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b3xxxxxxxx/v2.0" \
default_role="reader" \
bound_issuer="https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b3xxxxxxxx/v2.0"
Step 2. Register a JWT role reader, role_type need to be set as jwt. bound_audiences is required for JWT roles, {Application (client) ID}can be found from Azure app registration, Overview tab, Application (client) ID.
vault write auth/jwt/role/reader \
bound_audiences="{Application (client) ID}" \
allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
policies="default"\
bound_issuer=https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33xxxxxxxx/v2.0 \
role_type=jwt \
user_claim="sub"
Step 3. To get JWT token from Azure AD, you can edit then execute the below request in browser by including response_type as id_token, please use following request in one line since it's an URL:
https://login.microsoftonline.com/<tenant_ID>/oauth2/v2.0/authorize?
client_id=da5daf42-xxxx-xxxx-xxxxxx04a52 //your Application(client)ID
&response_type=id_token //Required
&redirect_uri=https://jwt.io //your Redirect URL
&response_mode=fragment
&scope=openid+profile+email
&state=12345
&nonce=678910
Example finished sign-in request:
https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b3xxxxxxxx/oauth2/v2.0/authorize?client_id=3f6d0dd9-b28a-47a2-9c0b-d4c1bxxxxxxxx&response_type=id_token&redirect_uri=https://jwt.io&response_mode=fragment&scope=openid+profile+email&state=12345&nonce=678910
Step 4. Go to Azure Active Directory -> App Registrations -> Your App -> Authentication -> Enable ID tokens (Under Implicit grant and hybrid flows) -> Save.
From the same App Authentication page, go to Platform configurations -> + Add a platform -> Web -> Add redirect URIs -> Configure, please add three URIs, first 2 URIs are for Vault UI access and Vault CLI redirect, the last an option jwt.io URL for getting encoded token, it can present the Encoded token in visual manner
- http://localhost:8200/ui/vault/auth/oidc/oidc/callback
- http://localhost:8250/oidc/callback
- https://jwt.io
Got to App Registrations -> API permission -> + Add a permission. Need to set API permissions by adding a permission for Microsoft Graph Application permission and select GroupMember.Read.All.
Step 5. To execute sign-in request Step. 3 in the browser, it will ask to sign in. After successful sign-in, it will take to the redirect URLhttps://jwt.iowith JWT token shown in web page. You could verify this JWT token further with tab Decode and Claim.
Step 6. Copy JWT token generated from jwt.io and use it with command vault write auth/jwt/login role=reader jwt={your-JWT-token-here}, you shall able to get a successful login output with a Vault token:
vault write auth/jwt/login role=reader jwt=eyJ0eXAi..... Key Value --- ----- token hvs.CAESIJ1FbwO92N2lNeJkp20jKyVhtLobPiL6l7eDAy7c1TPBGiEKHGh2cy5ob3ZrS2hGRHJycnpKUENkWUxJQ0tId0IQmwI token_accessor brn8ZBfmIyXTncgHsFjV2ZwE token_duration 768h token_renewable true token_policies ["default"] identity_policies [] policies ["default"] token_meta_role reader
Related documentation references:
- JWT authentication https://developer.hashicorp.com/vault/docs/auth/jwt#jwt-authentication
- JWT/OIDC Auth Method (API) https://developer.hashicorp.com/vault/api-docs/auth/jwt
- Azure Send the sign-in request https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request
- Introduction to JSON Web Tokens https://jwt.io/introduction
- Get started with JWT https://auth0.com/learn/json-web-tokens
- JWT Decoder, Verifier, Generator, Decryptor https://dinochiesa.github.io/jwt/