A client can leverage Vault to request a JWT (Identity Token) and use it as a mean of authentication with another party, like a server.
Sample scenario:
Create signing key:
vault write identity/oidc/key/mykey \
algorithm=EdDSA \
allowed_client_ids="*"
Create role associated with the signing key:
vault write identity/oidc/role/client key=mykey
Add a client policy:
path "identity/oidc/token/*" {
capabilities = ["read"]
}
Add a server policy:
path "identity/oidc/introspect" {
capabilities = ["write"]
}
A hypothetical client can now generate a JWT via:
curl \
--header "X-Vault-Token: ..." \
--request GET \
$VAULT_ADDR/v1/identity/oidc/token/client
A server can assess the validity of a JWT via introspection endpoint:
curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
$VAULT_ADDR/v1/identity/oidc/introspect