From 0f18bffbdb878390781250492ba3e29891bb49ef Mon Sep 17 00:00:00 2001 From: Yoko Hyakuna Date: Wed, 12 Apr 2023 09:25:22 -0700 Subject: [PATCH] Fix list formatting (#20076) (#20108) Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com> --- .../docs/auth/jwt/oidc-providers/azuread.mdx | 57 ++++++++++--------- 1 file changed, 30 insertions(+), 27 deletions(-) diff --git a/website/content/docs/auth/jwt/oidc-providers/azuread.mdx b/website/content/docs/auth/jwt/oidc-providers/azuread.mdx index 3f9e3337b964..5f3df30cafa1 100644 --- a/website/content/docs/auth/jwt/oidc-providers/azuread.mdx +++ b/website/content/docs/auth/jwt/oidc-providers/azuread.mdx @@ -20,13 +20,15 @@ Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https:/ 1. Add Redirect URIs with the "Web" type. You may include two redirect URIs, one for CLI access another one for Vault UI access. - - `http://localhost:8250/oidc/callback` - - `https://hostname:port_number/ui/vault/auth/oidc/oidc/callback` + + - `http://localhost:8250/oidc/callback` + - `https://hostname:port_number/ui/vault/auth/oidc/oidc/callback` 1. Record the "Application (client) ID" as you will need it as the `oidc_client_id`. 1. Under **Endpoints**, copy the OpenID Connect metadata document URL, omitting the `/well-known...` portion. - - The endpoint URL (`oidc_discovery_url`) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0 + + - The endpoint URL (`oidc_discovery_url`) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0 1. Under **Certificates & secrets**, [add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) @@ -59,13 +61,15 @@ You should set up a [Vault policy](https://learn.hashicorp.com/tutorials/vault/p oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0" ``` -1. Configure the [OIDC Role](/api-docs/auth/jwt#create-role) with the following: - - `user_claim` should be `"sub"` or `"oid"` following the - [recommendation](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id) +1. Configure the [OIDC Role](/vault/api-docs/auth/jwt#create-role) with the following: + + - `user_claim` should be `"sub"` or `"oid"` following the + [recommendation](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id) from Azure. - - `allowed_redirect_uris` should be the two redirect URIs for Vault CLI and UI access. - - `groups_claim` should be set to `"groups"`. - - `oidc_scopes` should be set to `"https://graph.microsoft.com/.default"`. + - `allowed_redirect_uris` should be the two redirect URIs for Vault CLI and UI access. + - `groups_claim` should be set to `"groups"`. + - `oidc_scopes` should be set to `"https://graph.microsoft.com/.default"`. + ```shell vault write auth/oidc/role/your_default_role \ user_claim="sub" \ @@ -125,11 +129,10 @@ To set the proper permissions on the Azure app: 1. Select "Delegated permissions" 1. Add the [User.Read](https://learn.microsoft.com/en-us/graph/permissions-reference#delegated-permissions-86) permission 1. Check the "Grant admin consent for Default Directory" checkbox - -Next, configure the OIDC auth method in Vault by setting `"provider_config"` to Azure. - ```shell - vault write auth/oidc/config -<<"EOH" - { +1. Configure the OIDC auth method in Vault by setting `"provider_config"` to Azure. + ```shell + vault write auth/oidc/config -<<"EOH" + { "oidc_client_id": "your_client_id", "oidc_client_secret": "your_client_secret", "default_role": "your_default_role", @@ -137,16 +140,16 @@ Next, configure the OIDC auth method in Vault by setting `"provider_config"` to "provider_config": { "provider": "azure" } - } - EOH - ``` - -Finally, add `"profile"` to `oidc_scopes` so the user's ID comes back on the JWT. - ```shell - vault write auth/oidc/role/your_default_role \ - user_claim="email" \ - allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ - groups_claim="groups" \ - oidc_scopes="profile" \ - policies="default" - ``` + } + EOH + ``` + +1. Add `"profile"` to `oidc_scopes` so the user's ID comes back on the JWT. + ```shell + vault write auth/oidc/role/your_default_role \ + user_claim="email" \ + allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ + groups_claim="groups" \ + oidc_scopes="profile" \ + policies="default" + ```