torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

vault: revert to confidential client, Web UI only (no CLI)
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m8s
Details

Browse Source
This commit is contained in:
Torjus Håkestad
2026-02-09 19:29:00 +01:00
parent 35a5a91fcf
commit 9dec754eed
4 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
terraform/vault/oidc.tf
View File

@@ -1,10 +1,11 @@
# OIDC authentication backend for Kanidm integration
# Using a public client (no secret) to support CLI localhost redirects
# Web UI only - CLI localhost redirects not supported with confidential clients
resource "vault_jwt_auth_backend" "oidc" {
path = "oidc"
type = "oidc"
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
oidc_client_id = "openbao"
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
default_role = "default"
tune {
@@ -27,7 +28,6 @@ resource "vault_jwt_auth_backend_role" "admin" {
role_type = "oidc"
allowed_redirect_uris = [
"http://localhost:8250/oidc/callback",
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
]
}
@@ -43,7 +43,6 @@ resource "vault_jwt_auth_backend_role" "default" {
role_type = "oidc"
allowed_redirect_uris = [
"http://localhost:8250/oidc/callback",
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
]
}