vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Feature Request: Github as OIDC provider with HashiCorp Vault

Open ghost opened this issue 2 years ago • 5 comments

Hi Team,

I am using Vault in my organization as a secret manager and we are trying to use the OIDC Auth method. Currently, I can see Github can't be used as a vault OIDC provider: https://www.vaultproject.io/docs/auth/jwt/oidc-providers

As we are using Github enterprise in our org., I wanted to know if Vault is planning to provide Github as an OIDC provider with Vault in near future?

Thanks!

ghost avatar Jul 14 '22 18:07 ghost

(Note: I'm not a HashiCorp employee, just an interested community member.)

You'd need to clarify what you're asking for:

  • GitHub already supports OIDC, but only for GitHub actions runs, and publishes how to integrate it with Vault: https://docs.github.com/en/[email protected]/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#adding-the-identity-provider-to-hashicorp-vault

  • HOWEVER, GitHub doesn't actually support OIDC for authenticating humans. For that, it only supports OAuth, an older protocol. OIDC includes much of OAuth, but also other extensions too, and since the Vault auth method is an OIDC auth method, it's not capable of interfacing with a plain OAuth provider, like GitHub offers for humans.

(It would be possible to write a GitHub OAuth auth provider Vault plugin, and it could probably re-use a lot of code from the existing OIDC auth method, and it could look very similar to users, but it wouldn't technically be OIDC.)

maxb avatar Jul 17 '22 10:07 maxb

Thanks for the reply @maxb!

Actually, I was looking for the 2nd use case i.e. how we can leverage Github apps as an OIDC provider with Vault authentication just like we can use AuthO, Gitlabs, etc as the OIDC provider where we can create different applications(inside the AuthO) for different teams in my organization having unique client ID and secret and that too programmatically.

I also tried the whole authentication scenario using the Auth0 provider. (https://www.vaultproject.io/docs/auth/jwt/oidc-providers/auth0)

Goal:

  1. To use Github apps as the OIDC provider So I could create different Github apps for different teams in my organization.
  2. This way, each team could authenticate using oidc programmatically and access the vault to get the secrets.

Thanks!

anmolsaini-hpe avatar Jul 18 '22 13:07 anmolsaini-hpe

Actually my second scenario was just about humans.

Since you're talking about GitHub apps, that would be a third separate scenario.

I'm not aware of GitHub apps having an OIDC identity that they can use to authenticate to third party software like Vault, so I don't think what you describe is possible.

Why do you even want to involve GitHub in this at all? It seems all you want is some arbitrary credentials to log into Vault for automation - that's a classic case for the Vault approle auth method.

maxb avatar Jul 18 '22 19:07 maxb

It seems all you want is some arbitrary credentials to log into Vault for automation - that's a classic case for the Vault approle auth method - that's right.....AppRole seems to be the only option in this case.

Why do you even want to involve GitHub in this at all? I tried the whole OIDC authentication flow using AuthO and it works perfectly fine. Although I tried this scenario for human users and not programmatically. My organization uses Github enterprise and if Github apps work, this would be super easy to use and maintain.

anmolsaini-hpe avatar Jul 18 '22 20:07 anmolsaini-hpe

Yes, but Auth0 is a general-purpose OIDC provider, and GitHub... isn't. So you can't use it as one.

maxb avatar Jul 18 '22 21:07 maxb

We also use Github for login in several services, for instance Rancher. It's convenient especially for external people because most already have a Github account so it's just a matter of getting their handle. We would really like to use Github as an OIDC flow so we can use Vault as an IdP for all services directly, allowing people to log in using Github if they have an account already.

I think I implemented something like this specifically for Github a few years ago, and if I remember correctly, it was a basic OAuth 2.0 flow without the OpenID Connect on top of it – enough at least to get an Entity Alias in Vault to link to an actual local user.

We're interested in using Vault as an IdP because it's lightweight, easier to integrate and has a nicer API than some of the other IdP-as-a-product software.

wvh avatar Oct 16 '22 19:10 wvh

I will go ahead and close this issue for now as it is something of a niche request and other options exist. If, in time, this becomes a larger ask or the benefit becomes broader, we can re-evaluate this ask. Thanks for your understanding!

heatherezell avatar Jul 21 '23 20:07 heatherezell