Skip to content

Identity tokens with Vault

Published: at 03:22 PM

A client can leverage Vault to request a JWT (Identity Token) and use it as a mean of authentication with another party, like a server.

Sample scenario:

diagram

Create signing key:

vault write identity/oidc/key/mykey \
  algorithm=EdDSA \
  allowed_client_ids="*"

Create role associated with the signing key:

vault write identity/oidc/role/client key=mykey

Add a client policy:

path "identity/oidc/token/*" {
  capabilities = ["read"]
}

Add a server policy:

path "identity/oidc/introspect" {
  capabilities = ["write"]
}

A hypothetical client can now generate a JWT via:

curl \
  --header "X-Vault-Token: ..." \
  --request GET \
  $VAULT_ADDR/v1/identity/oidc/token/client

A server can assess the validity of a JWT via introspection endpoint:

curl \
  --header "X-Vault-Token: ..." \
  --request POST \
  --data @payload.json \
  $VAULT_ADDR/v1/identity/oidc/introspect