├── README.md
└── img
    ├── VaultOIDCCat.gif
    ├── consent.png
    ├── credentials.png
    └── route53.png


/README.md:
--------------------------------------------------------------------------------
 1 | # Vault OpenID Demo
 2 | Vault 1.1.0 introduced OIDC Redirect Flow Support, allowing authentication using browser. In this repository we describe the steps to integrate this feature to authenticate with Vault using a Gmail address.
 3 | 
 4 | ![alt text](img/VaultOIDCCat.gif)
 5 | 
 6 | ## Requirements
 7 | - Vault server with a "demo" ACL policy
 8 | - A domain name for Vault
 9 | - Google account
10 | 
11 | ## Configure Vault Domain
12 | You can use any registrar, no specific requirements. If you decide to use AWS Route53:
13 | 1. Log in to AWS, go to Route53
14 | 2. Create a Hosted Zone if none exist
15 | 3. Click on existing Hosted Zone
16 | 4. Click Create Record Set
17 | 5. Enter a name and update the IP value, as shown here:
18 | 
19 | ![alt text](img/route53.png)
20 | 
21 | 6. Throughout this repo, assume that "YOUR_VAULT_ADDR" is this address, example: 
22 | ```
23 | YOUR_VAULT_ADDR=http://stenio.vault.hashidemos.io:8200
24 | ```
25 | 
26 | ## Configure Google
27 | Go to https://console.developers.google.com/apis/credentials/, log in if needed
28 | ### Consent Screen
29 | 1. Click on "Oauth Consent Screen tab":
30 | 
31 | ![alt text](img/consent.png)
32 | 
33 | 2. Enter Name, upload picture to show on consent screen (optional)
34 | 3. Scopes - email, profile, openid
35 | 4. On "authorized domains", enter the domain of your vault server. Example myvault.com
36 | 5. Enter Application homepage and privacy link (optional)
37 | 6. Press "Save"
38 | ## Create Credentials
39 | 1. Now click on the "Credentials" tab:
40 | 
41 | ![alt text](img/credentials.png)
42 | 
43 | 2. Click "Create credentials > OAuth ClientID"
44 | 3. Select "Web application", give it a name
45 | 4. On "Authorized redirect URLs", enter "http://YOUR_VAULT_ADDR/ui/vault/auth/oidc/oidc/callback"
46 | 5. Press Save
47 | 6. In the next step you will use the Client ID and the Client Secret when configuring Vault
48 | 
49 | ## Configure Vault
50 | 1. Enable oidc auth and configure it with the Google client information:
51 | ```
52 | vault auth enable oidc
53 | 
54 | vault write auth/oidc/config \
55 |     oidc_discovery_url="https://accounts.google.com" \
56 |     oidc_client_id="YOUR_GOOGLE_API_CLIENT_ID", \
57 |     oidc_client_secret="YOUR_GOOGLE_API_CLIENT_SECRET", \
58 |     default_role="gmail"
59 | 
60 | ```
61 | 2. Create a role to use for authentication. You can be as restrictive as desired by using the different "bound" fields. These allow you to specify values that need to be present from Google in order to allow authentication. [Here](https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo) documentation on claims and values sent by Google, [here](https://www.vaultproject.io/api/auth/jwt/index.html#create-role) information on the bound fields.
62 | ```
63 | vault write auth/oidc/role/gmail \
64 |     user_claim="sub" \
65 |     bound_audiences=[YOUR_GOOGLE_API_CLIENT_ID] \
66 |     allowed_redirect_uris=[http://YOUR_VAULT_ADDR/ui/vault/auth/oidc/oidc/callback] \
67 |     policies=demo \
68 |     ttl=1h
69 | ```
70 | 
71 | ## Login
72 | 1. Go to Vault UI
73 | 2. Select "OIDC auth"
74 | 3. Enter the role you want to log in to Vault with. In this example we only have one role, but multiple can be created and associated with different claims and bounds as needed.
75 | 4. Log in!


--------------------------------------------------------------------------------
/img/VaultOIDCCat.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stenio123/vault-oidc-demo/65830a6efa3110a98391cacdb98010d6b61d9486/img/VaultOIDCCat.gif


--------------------------------------------------------------------------------
/img/consent.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stenio123/vault-oidc-demo/65830a6efa3110a98391cacdb98010d6b61d9486/img/consent.png


--------------------------------------------------------------------------------
/img/credentials.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stenio123/vault-oidc-demo/65830a6efa3110a98391cacdb98010d6b61d9486/img/credentials.png


--------------------------------------------------------------------------------
/img/route53.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stenio123/vault-oidc-demo/65830a6efa3110a98391cacdb98010d6b61d9486/img/route53.png


--------------------------------------------------------------------------------