Troubleshoot the missing Identity Policies in Vault with OIDC Authentication

Avatar
Kunal Mehtani
  • Updated

Introduction

This article explains why identity policies may be missing from a token, even when the policy was initially attached during token generation.
 

Prerequisites

  • HashiCorp Vault

  • Identity Provider (Okta for this article)

Scenario

  1. At the Identity Provider (IDP) level, two groups exist. A user named Thea is a member of both groups.

  2. An external group is created in Vault and assigned the admin policy.

  3. The user Thea logs in via the OIDC authentication method using a configured role. Upon successful authentication, a token is issued, and the vault token lookup command confirms that the admin identity policy is attached:

    [root@ip-172-31-28-0 ~]# vault token lookup <token>

identity_policies              [admin dev vault-policy-developer-read]

     

  4. The user is then removed from the group at the IDP level. The existing token remains valid. However, on the next login attempt via OIDC, Vault performs a background refresh of the user’s group memberships. If the user is no longer found in the corresponding group, Vault removes the group membership and detaches the associated identity policies. This behavior can be observed in Vault trace logs
     
[DEBUG] identity: refreshing external group memberships: entity_id=< user entity id>
[DEBUG] identity: removing member entity ID from external group: < group_id>

 

5.  A lookup on the same token now shows that the admin policy has been removed, although the token remains valid:

identity_policies    ["dev" "vault-policy-developer-read"]
policies             ["default" "dev" "vault-policy-developer-read"]

 

6.  If the user is re-added to the group at the IDP with the same identity, and the token is renewed, Vault once again refreshes the group memberships. The user is re-associated with the external group, and the admin identity policy is reattached to the token:

[DEBUG] identity: adding member entity ID to external group:< group id>

 

7.  Token lookup now reflects the updated identity policies:

identity_policies    ["admin" "dev" "vault-policy-developer-read"]
policies             ["admin" "default" "dev" "vault-policy-developer-read"]

 

Conclusion

Vault actively refreshes group membership for external identity groups during subsequent authentication or token renewal. Based on the current state of group membership at the IDP level, Vault dynamically adds or removes associated identity policies from the token. This ensures that permissions are consistent with the user's current group memberships.

 

 

  

   

    

     

    

Articles in this section

See more