Identity Tokens in Vault

A client can leverage Vault to request a JWT (Identity Token) and use it as a mean of authentication with another party, like a server.

Sample scenario:

sequenceDiagram participant Client participant Server participant Vault Client ->> Vault: Authenticate Client ->> Vault: Generate JWT (GET identity/oidc/token/client) Client ->> Server: POST "/signin" (JWT) Server ->> Vault: Check JWT (POST identity/oidc/introspect) Vault ->> Server: JWT "OK" Server ->> Client: OK

Create signing key:

vault write identity/oidc/key/mykey \
  algorithm=EdDSA \
  allowed_client_ids="*"

Create role associated with the signing key:

vault write identity/oidc/role/client key=mykey

Add a client policy:

path "identity/oidc/token/*" {
  capabilities = ["read"]
}

Add a server policy:

path "identity/oidc/introspect" {
  capabilities = ["write"]
}

A hypothetical client can now generate a JWT via:

curl \
  --header "X-Vault-Token: ..." \
  --request GET \
  $VAULT_ADDR/v1/identity/oidc/token/client

A server can assess the validity of a JWT via introspection endpoint:

curl \
  --header "X-Vault-Token: ..." \
  --request POST \
  --data @payload.json \
  $VAULT_ADDR/v1/identity/oidc/introspect