vault
                                
                                 vault copied to clipboard
                                
                                    vault copied to clipboard
                            
                            
                            
                        Feature Request: Github as OIDC provider with HashiCorp Vault
Hi Team,
I am using Vault in my organization as a secret manager and we are trying to use the OIDC Auth method. Currently, I can see Github can't be used as a vault OIDC provider: https://www.vaultproject.io/docs/auth/jwt/oidc-providers
As we are using Github enterprise in our org., I wanted to know if Vault is planning to provide Github as an OIDC provider with Vault in near future?
Thanks!
(Note: I'm not a HashiCorp employee, just an interested community member.)
You'd need to clarify what you're asking for:
- 
GitHub already supports OIDC, but only for GitHub actions runs, and publishes how to integrate it with Vault: https://docs.github.com/en/[email protected]/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#adding-the-identity-provider-to-hashicorp-vault 
- 
HOWEVER, GitHub doesn't actually support OIDC for authenticating humans. For that, it only supports OAuth, an older protocol. OIDC includes much of OAuth, but also other extensions too, and since the Vault auth method is an OIDC auth method, it's not capable of interfacing with a plain OAuth provider, like GitHub offers for humans. 
(It would be possible to write a GitHub OAuth auth provider Vault plugin, and it could probably re-use a lot of code from the existing OIDC auth method, and it could look very similar to users, but it wouldn't technically be OIDC.)
Thanks for the reply @maxb!
Actually, I was looking for the 2nd use case i.e. how we can leverage Github apps as an OIDC provider with Vault authentication just like we can use AuthO, Gitlabs, etc as the OIDC provider where we can create different applications(inside the AuthO) for different teams in my organization having unique client ID and secret and that too programmatically.
I also tried the whole authentication scenario using the Auth0 provider. (https://www.vaultproject.io/docs/auth/jwt/oidc-providers/auth0)
Goal:
- To use Github apps as the OIDC provider So I could create different Github apps for different teams in my organization.
- This way, each team could authenticate using oidc programmatically and access the vault to get the secrets.
Thanks!
Actually my second scenario was just about humans.
Since you're talking about GitHub apps, that would be a third separate scenario.
I'm not aware of GitHub apps having an OIDC identity that they can use to authenticate to third party software like Vault, so I don't think what you describe is possible.
Why do you even want to involve GitHub in this at all? It seems all you want is some arbitrary credentials to log into Vault for automation - that's a classic case for the Vault approle auth method.
It seems all you want is some arbitrary credentials to log into Vault for automation - that's a classic case for the Vault approle auth method - that's right.....AppRole seems to be the only option in this case.
Why do you even want to involve GitHub in this at all? I tried the whole OIDC authentication flow using AuthO and it works perfectly fine. Although I tried this scenario for human users and not programmatically. My organization uses Github enterprise and if Github apps work, this would be super easy to use and maintain.
Yes, but Auth0 is a general-purpose OIDC provider, and GitHub... isn't. So you can't use it as one.
We also use Github for login in several services, for instance Rancher. It's convenient especially for external people because most already have a Github account so it's just a matter of getting their handle. We would really like to use Github as an OIDC flow so we can use Vault as an IdP for all services directly, allowing people to log in using Github if they have an account already.
I think I implemented something like this specifically for Github a few years ago, and if I remember correctly, it was a basic OAuth 2.0 flow without the OpenID Connect on top of it – enough at least to get an Entity Alias in Vault to link to an actual local user.
We're interested in using Vault as an IdP because it's lightweight, easier to integrate and has a nicer API than some of the other IdP-as-a-product software.
I will go ahead and close this issue for now as it is something of a niche request and other options exist. If, in time, this becomes a larger ask or the benefit becomes broader, we can re-evaluate this ask. Thanks for your understanding!