torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
0b977808cac56ea8921c907de0d47011a1791d67
nixos-servers/docs/plans/openbao-kanidm-oidc.md
Torjus Håkestad 8786113f8f
Some checks failed
Run nix flake check / flake-check (push) Failing after 3m10s
Details
docs: add OpenBao + Kanidm OIDC integration plan 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-08 15:45:44 +01:00

3.4 KiB
Raw Blame History

OpenBao + Kanidm OIDC Integration

Overview

Enable Kanidm users to authenticate to OpenBao (Vault) using OIDC, allowing access to secrets based on Kanidm group membership.

Current State

Kanidm:

  • Server: auth.home.2rjus.net (kanidm01)
  • Domain: home.2rjus.net
  • Groups: admins, users, ssh-users
  • No OIDC clients configured yet

OpenBao:

  • Server: vault.home.2rjus.net (vault01)
  • Auth: AppRole only (machine-to-machine)
  • No human user authentication configured

OpenBao OIDC Auth Method

OpenBao includes the JWT/OIDC auth method in the open-source version (unlike Vault Enterprise which gates some auth features). Key points:

  • Enable with: bao auth enable oidc
  • Supports browser-based OIDC login flow
  • Maps OIDC claims/groups to OpenBao policies
  • Works with both CLI (bao login) and Web UI

Required Configuration

bao write auth/oidc/config \
  oidc_discovery_url="https://auth.home.2rjus.net/oauth2/openid/<client_id>" \
  oidc_client_id="<client_id>" \
  oidc_client_secret="<client_secret>" \
  default_role="default"

Callback URIs

OpenBao requires specific callback URIs registered in Kanidm:

  • CLI: http://localhost:8250/oidc/callback
  • Web UI: https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback

Kanidm OAuth2 Configuration

Kanidm supports declarative OAuth2 client provisioning via NixOS:

services.kanidm.provision.systems.oauth2.openbao = {
  displayName = "OpenBao Secrets";
  # originUrl - where the client lives
  # originLanding - where to redirect after auth
  # basicSecretFile - client secret
  # scopeMaps - which scopes groups can request
  # claimMaps - custom claims based on group membership
};

The basicSecretFile should contain the client secret, fetched from Vault.

Implementation Approach

1. Create OAuth2 Client in Kanidm

Add to services/kanidm/default.nix:

  • OAuth2 client openbao with callback URIs
  • Scope maps for admins and users groups
  • Claim maps to expose group membership

2. Enable OIDC Auth in OpenBao

Options:

  • Terraform: Add vault_jwt_auth_backend resource in terraform/vault/
  • NixOS: Configure in vault01 host config

Terraform is probably cleaner since we already manage OpenBao config there.

3. Create OpenBao Roles

Map Kanidm groups to policies:

Kanidm Group OpenBao Role Policy
admins admin Full read access to secrets
users user Limited read access

4. Chicken-and-Egg Problem

The OAuth2 client secret needs to be stored in OpenBao, but OpenBao needs the secret to configure OIDC auth. Solutions:

  1. Bootstrap manually: Create initial secret via bao CLI
  2. Two-phase Terraform: First create the secret, then configure OIDC
  3. Static secret: Use a static secret for the OAuth2 client (less ideal)

Open Questions

  1. Web UI access: Do we want users logging into the OpenBao web UI, or just CLI?
  2. Policy granularity: What secrets should admins vs users access?
  3. Token TTL: How long should OIDC-issued tokens last?

References

Reference in New Issue View Git Blame Copy Permalink