ansible-modules-hashivault icon indicating copy to clipboard operation
ansible-modules-hashivault copied to clipboard

Published 20 hours ago verified publisher icon TerryHowe

JWT role configuration does not require redirect URIs to be passed

Open jxsl13 opened this issue 3 years ago • 4 comments

This should be enough to configure JWT roles, as they are not OIDC roles which rerquire you to use your browser and redirect back to your vault instance. The current implementation requires the URIs to be passed for both OIDC and JWT role creation.

- name: create {{ item }} jwt role
    hashivault_oidc_auth_role:
      name: "{{ item }}"
      mount_point: jwt
      # actual payload values below
      user_claim: sub
      bound_audiences:
        - "{{ keycloak.client_id }}"
      token_policies:
        - "{{ item }}"
      groups_claim: "/resource_access/{{ keycloak.client_id }}/roles"
      bound_claims:
        "/resource_access/{{ keycloak.client_id }}/roles":
        - "{{ item }}"  
    environment: "{{ remote_env }}"
    with_items: "{{ policies.names }}"

analog example with a bash script:

#!/bin/bash


# source environment variables & login as root user
source scripts/env.sh
source scripts/local_login.sh

DISCOVERY_URL="$KEYCLOAK_URL/realms/$REALM"
JWKS_URL="$KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/certs"


# configure JWT auth method
vault write auth/jwt/config \
    default_role="reader" \
    bound_issuer="$DISCOVERY_URL" \
    jwks_url="$JWKS_URL"


# create reader role
vault write auth/jwt/role/reader -<<EOF
{
  "user_claim": "sub",
  "role_type": "jwt",
  "bound_audiences": "$CLIENT_ID",
  "policies": "reader",
  "ttl": "1h",
  "groups_claim": "/resource_access/$CLIENT_ID/roles",
  "bound_claims": { "/resource_access/$CLIENT_ID/roles": ["reader"] },
  "verbose_oidc_logging": true
}
EOF

vault read auth/jwt/role/reader


# create manager role
vault write auth/jwt/role/manager -<<EOF
{
  "user_claim": "sub",
  "role_type": "jwt",
  "bound_audiences": "$CLIENT_ID",
  "policies": "manager",
  "ttl": "1h",
  "groups_claim": "/resource_access/$CLIENT_ID/roles",
  "bound_claims": { "/resource_access/$CLIENT_ID/roles": ["manager"] },
  "verbose_oidc_logging": true
}
EOF

vault read auth/jwt/role/manager

jxsl13 avatar May 12 '21 09:05 jxsl13

workaround:

- name: create {{ item }} jwt role
    hashivault_oidc_auth_role:
      name: "{{ item }}"
      mount_point: jwt
      # actual payload values below
      user_claim: sub
      bound_audiences:
        - "{{ keycloak.client_id }}"
      token_policies:
        - "{{ item }}"
      groups_claim: "/resource_access/{{ keycloak.client_id }}/roles"
      bound_claims:
        "/resource_access/{{ keycloak.client_id }}/roles":
        - "{{ item }}"  
      allowed_redirect_uris: []  # THIS HERE <------------------------------------------------
    environment: "{{ remote_env }}"
    with_items: "{{ policies.names }}"

jxsl13 avatar May 12 '21 09:05 jxsl13

Seemingly the creation of JWT roles seems to not properly check the existence of those roles, as the equivalent creation of OIDC roles does return an 'ok' state contrary to the 'changed' state of the JWT role creation.

jxsl13 avatar May 12 '21 10:05 jxsl13

depending on the cicumstances another workaround might be

allowed_redirect_uris: ""

jxsl13 avatar May 12 '21 12:05 jxsl13

I'm don't think this module should validate the correctness of the request in this case. It should just make allowed-redirect_uris optional and let vault validate.

TerryHowe avatar May 12 '21 13:05 TerryHowe