Vault
Use ForgeRock for OIDC authentication
- Navigate to Applications -> OAuth 2.0 -> Clients in ForgeRock Access Management.
- Create new client.
- Configure Client ID, Client Secret, Scopes and Redirection URIs.
client ID
client secret
allowed_redirect_uris
should be the two redirect URIs for Vault CLI and UI access.oidc_scopes
should be set to the OIDC scopes.
- Save Client ID and Client Secret.
Configuration
In Vault, enable the OIDC auth method.
Configure the OIDC auth method with the
oidc_client_id
(client ID),oidc_client_secret
(client secret), andoidc_discovery_url
(endpoint URL) from ForgeRock.vault write auth/oidc/config \ oidc_client_id="your_client_id" \ oidc_client_secret="your_client_secret" \ default_role="your_default_role" \ oidc_discovery_url="https://openam.example.com:8443/openam/oauth2"
Configure the OIDC Role with the following:
user_claim
should be"sub"
.allowed_redirect_uris
should be the two redirect URIs for Vault CLI and UI access.oidc_scopes
should be set to the OIDC scopes.vault write auth/oidc/role/your_default_role \ user_claim="sub" \ allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ oidc_scopes="your_oidc_scopes" \ policies=default