go-oidc icon indicating copy to clipboard operation
go-oidc copied to clipboard
verified publisher icon coreos

Add support for Hashicorp Vault through discovery

Open tdiesler opened this issue 9 months ago • 2 comments

Vault reports its .well-known/openid-configuration like this ...

{
  "issuer": "/v1/identity/oidc/provider/default",
  "jwks_uri": "/v1/identity/oidc/provider/default/.well-known/keys",
  "authorization_endpoint": "/ui/vault/identity/oidc/provider/default/authorize",
  "token_endpoint": "/v1/identity/oidc/provider/default/token",
  "userinfo_endpoint": "/v1/identity/oidc/provider/default/userinfo",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "EdDSA"
  ],
  ...
}

None of the endpoints are URLs and the issuer is indeed the value encoded in the id_token.

I propose a small API change for provider discovery, which allows the use of provider a provider baseUrl. Yes, we already have the ability to create a new Provider from a given config, which could be used to prefix all of these values with a baseUrl, but it won't work for issuer as this needs to stay as it is.

CrossRef: https://github.com/hashicorp/vault/issues/30117

tdiesler avatar Mar 28 '25 14:03 tdiesler

Hey! Everything in the spec references full URLs that MUST use the https scheme. Can you please open a bug against Vault and link here? I get a lot of bugs for off spec providers and don't want to add new API surface for each one

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Vault should have to know its own base url to protect against DNS rebinding attacks. Is it hard for them to add this to the discovery doc?

https://project-zero.issues.chromium.org/issues/42450518

ericchiang avatar Mar 28 '25 15:03 ericchiang

@tdiesler Just since I stumbled across this in the context of OpenBao, note that this usually means you haven't set an API address (api_addr) in your configuration file.

Per (MPL-licensed) code:

https://github.com/openbao/openbao/blob/b9ff7c9bfcf5d01958481e101e9f12c708b19698/vault/identity_store_oidc_provider.go#L1581-L1586

This is set to the core's redirect address:

https://github.com/openbao/openbao/blob/b9ff7c9bfcf5d01958481e101e9f12c708b19698/vault/identity_store.go#L67

which eventually comes from that API parameter (via vault/core.go and command/server.go + command/server/config.go).

We have an issue to clean up what these parameters mean: https://github.com/openbao/openbao/issues/2007

cipherboy avatar Nov 06 '25 14:11 cipherboy