I am setting up JWT auth method for Hashicorp Vault and want to check if the token that is being passed has correct audience, issuer and scope.
For audience and issuer it is easy and I can follow documentation:
vault write auth/jwt/config default_role="myrole"
oidc_discovery_url="URL"
bound_issuer="MY_ISSUER"
vault write auth/jwt/role/myrole user_claim="sub"
groups_claim="groups"
policies="my-policy"
role_type="jwt"
bound_audiences="MY_AUDIENCE"
Is it possible to have a "bound_scp" somehow?
Related
From this page: https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html:
The fourth security-relevant reserved claim is "iss." This claim indicates the identity > of the party that issued the JWT. The claim holds a simple string, of which the value is > at the discretion of the issuer. The consumer of a JWT should always check that the > "iss" claim matches the expected issuer (e.g., sso.example.com).
As an example, in Kubernetes when I configure the kubernetes auth like this for using a JWT for a vault service account (from helm), I no longer get an ISS error when accessing the vault:
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=#/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
issuer="https://kubernetes.default.svc.cluster.local"
But what does this URL mean? Is it a somewhat arbitrary string that was set when the JWT was generated?
JWT token issuer - is the party that "created" the token and signed it with its private key.
Anyone can create tokens, make sure that the tokens you receive is created by a party that you trust.
I am using Vault Kubernetes auth method for authenticate services against Vault and I wonder if I can generate a token with this auth method which does not expire.
Vault supports logging in using a JWT. I have a proxy in front of my Vault instance which manages an OIDC flow and injects a JWT as a bearer token in the Authorization header.
Instead of being presented with the Vault login screen, it would be convenient if Vault could parse the Authorization header and automatically log me in -- is this possible?
I know Vault supports Vault tokens in the Authorization header, but since I access my other dashboards using this JWT, it would be powerful for Vault to also interpret it.
As far as i know: no, not in the usual way with http-header authorization.
Vault would accept the jwt-token from oidc for login if the jwt-token comes as body/payload in json like this:
POST /v1/auth/jwt/login
{"jwt":"YOUR.JWT.TOKEN"}
Like written in vault docs:
curl --request POST \
--data '{"jwt": "YOUR.JWT.TOKEN", "role": "demo"}' \
http://127.0.0.1:8200/v1/auth/jwt/login
As header vault accepts the http-header X-Vault-Token: s.XYZYXr3kuxR4, which is a vault-token and not the oidc-jwt-token
Currently, I am connecting to a corporate vault service where I am using a vault token and passing it through below header in my spring cloud config service where properties of all microservices are kept.
curl -X "GET" "http://localhost:8080/my-client-microservice/dev" -H "X-Config-Token: s.myvaulttoken"
where http://localhost:8080 is my spring cloud config service and s.myvaulttoken is my vault token. This is working absolutely fine.
I want to know the validity of this token. What I have read the documentation that token can be of two type: service or batch. I want to know whether this token can be used infinitely (as root tokens validity is infinite).
Since the client microservices require the vault token, I want to figure out the way to know the validity of a token. Can you guys help me to tell more about this?
I followed this link: https://learn.hashicorp.com/vault/getting-started/authentication
Every non-root token has a time-to-live (TTL) associated with it.
For example:
with a root token, the ttl is 0
vault token lookup -format json | jq .data.ttl
0
with a regular user, the ttl is non-zero
VAULT_TOKEN=$(vault token create -policy default -field token) vault token
lookup -format json | jq .data.ttl
2764799
This check is possible through the API as well.
I was reading the documentation of vault, and came across revocation feature that vault provides. How can revoking a key in vault affect the service descision about the secret, for example a secret for local repository manager that is fetched from vault?
The only way I am imagining it is that tokens or userpass which are used to authenticate against vault are the ones to e revoked, then it makes sense. But, even if a secret has its lease expired, how would the repository manager know not to accept that secret for authentication?
Am I missing something here?
Thanks in advance