Skip to content

Commit

Permalink
Fix list formatting (#20076) (#20107)
Browse files Browse the repository at this point in the history
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
  • Loading branch information
yhyakuna and jonathanfrappier authored Apr 12, 2023
1 parent e59b15b commit 7f776d8
Showing 1 changed file with 37 additions and 26 deletions.
63 changes: 37 additions & 26 deletions website/content/docs/auth/jwt/oidc-providers/azuread.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,15 @@ Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https:/

1. Add Redirect URIs with the "Web" type. You may include two redirect URIs,
one for CLI access another one for Vault UI access.
- `http://localhost:8250/oidc/callback`
- `https://hostname:port_number/ui/vault/auth/oidc/oidc/callback`

- `http://localhost:8250/oidc/callback`
- `https://hostname:port_number/ui/vault/auth/oidc/oidc/callback`

1. Record the "Application (client) ID" as you will need it as the `oidc_client_id`.

1. Under **Endpoints**, copy the OpenID Connect metadata document URL, omitting the `/well-known...` portion.
- The endpoint URL (`oidc_discovery_url`) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0

- The endpoint URL (`oidc_discovery_url`) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0

1. Under **Certificates & secrets**,
[add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)
Expand Down Expand Up @@ -59,13 +61,15 @@ You should set up a [Vault policy](https://learn.hashicorp.com/tutorials/vault/p
oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"
```

1. Configure the [OIDC Role](/api-docs/auth/jwt#create-role) with the following:
- `user_claim` should be `"sub"` or `"oid"` following the
[recommendation](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id)
1. Configure the [OIDC Role](/vault/api-docs/auth/jwt#create-role) with the following:

- `user_claim` should be `"sub"` or `"oid"` following the
[recommendation](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id)
from Azure.
- `allowed_redirect_uris` should be the two redirect URIs for Vault CLI and UI access.
- `groups_claim` should be set to `"groups"`.
- `oidc_scopes` should be set to `"https://graph.microsoft.com/.default"`.
- `allowed_redirect_uris` should be the two redirect URIs for Vault CLI and UI access.
- `groups_claim` should be set to `"groups"`.
- `oidc_scopes` should be set to `"https://graph.microsoft.com/.default"`.

```shell
vault write auth/oidc/role/your_default_role \
user_claim="sub" \
Expand Down Expand Up @@ -117,27 +121,34 @@ which will be used by Vault to retrieve the groups for the user:
- In Azure, under the applications **API Permissions**, grant the following permissions:
- Microsoft Graph API permission [Directory.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-19)

- In Vault, set `"provider_config"` to Azure.
```shell
vault write auth/oidc/config -<<"EOH"
{
1. Locate the application under "App Registrations" in Azure
1. Navigate to the "API Permissions" page for the application
1. Add a permission
1. Select "Microsoft Graph"
1. Select "Delegated permissions"
1. Add the [User.Read](https://learn.microsoft.com/en-us/graph/permissions-reference#delegated-permissions-86) permission
1. Check the "Grant admin consent for Default Directory" checkbox
1. Configure the OIDC auth method in Vault by setting `"provider_config"` to Azure.
```shell
vault write auth/oidc/config -<<"EOH"
{
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0",
"provider_config": {
"provider": "azure"
}
}
EOH
```
- In Vault, add `"profile"` to `oidc_scopes` so the user's id comes back on the JWT.
```shell
vault write auth/oidc/role/your_default_role \
user_claim="email" \
allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
oidc_scopes="profile" \
policies="default"
```
}
EOH
```
1. Add `"profile"` to `oidc_scopes` so the user's ID comes back on the JWT.
```shell
vault write auth/oidc/role/your_default_role \
user_claim="email" \
allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
oidc_scopes="profile" \
policies="default"
```

0 comments on commit 7f776d8

Please sign in to comment.