Torjus Håkestad
e85f15b73d
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m9s
Enable Kanidm users to authenticate to OpenBao via OIDC for Web UI access. Members of the admins group get full read/write access to secrets. Changes: - Add OIDC auth backend in Terraform (oidc.tf) - Add oidc-admin and oidc-default policies - Add openbao OAuth2 client to Kanidm - Enable legacy crypto (RS256) for OpenBao compatibility - Allow imperative group membership management in Kanidm Limitations: - CLI login not supported (Kanidm requires HTTPS for confidential client redirects) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
51 lines
1.6 KiB
HCL
51 lines
1.6 KiB
HCL
# OIDC authentication backend for Kanidm integration
|
|
# Web UI only - CLI localhost redirects not supported with confidential clients
|
|
resource "vault_jwt_auth_backend" "oidc" {
|
|
path = "oidc"
|
|
type = "oidc"
|
|
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
|
|
oidc_client_id = "openbao"
|
|
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
|
|
default_role = "default"
|
|
|
|
tune {
|
|
listing_visibility = "unauth"
|
|
default_lease_ttl = "1h"
|
|
max_lease_ttl = "24h"
|
|
token_type = "default-service"
|
|
}
|
|
}
|
|
|
|
# Admin role - maps Kanidm admins group to admin policy
|
|
resource "vault_jwt_auth_backend_role" "admin" {
|
|
backend = vault_jwt_auth_backend.oidc.path
|
|
role_name = "admin"
|
|
token_policies = ["oidc-admin"]
|
|
|
|
user_claim = "preferred_username"
|
|
groups_claim = "groups"
|
|
bound_claims = { groups = "admins@home.2rjus.net" }
|
|
role_type = "oidc"
|
|
oidc_scopes = ["openid", "profile", "email", "groups"]
|
|
|
|
allowed_redirect_uris = [
|
|
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
|
|
]
|
|
}
|
|
|
|
# Default role - any authenticated user (limited access)
|
|
resource "vault_jwt_auth_backend_role" "default" {
|
|
backend = vault_jwt_auth_backend.oidc.path
|
|
role_name = "default"
|
|
token_policies = ["oidc-default"]
|
|
|
|
user_claim = "preferred_username"
|
|
groups_claim = "groups"
|
|
role_type = "oidc"
|
|
oidc_scopes = ["openid", "profile", "email", "groups"]
|
|
|
|
allowed_redirect_uris = [
|
|
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
|
|
]
|
|
}
|