torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
addb8a83e6e7058290e9668740891c7177d75664
nixos-servers/terraform/vault/oidc.tf
Torjus Håkestad addb8a83e6
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Details
vault: request groups scope in OIDC roles
2026-02-09 19:39:10 +01:00

51 lines
1.6 KiB
HCL
Raw Blame History

# OIDC authentication backend for Kanidm integration
# Web UI only - CLI localhost redirects not supported with confidential clients
resource "vault_jwt_auth_backend" "oidc" {
path = "oidc"
type = "oidc"
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
oidc_client_id = "openbao"
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
default_role = "default"
tune {
listing_visibility = "unauth"
default_lease_ttl = "1h"
max_lease_ttl = "24h"
token_type = "default-service"
}
}
# Admin role - maps Kanidm admins group to admin policy
resource "vault_jwt_auth_backend_role" "admin" {
backend = vault_jwt_auth_backend.oidc.path
role_name = "admin"
token_policies = ["oidc-admin"]
user_claim = "preferred_username"
groups_claim = "groups"
bound_claims = { groups = "admins" }
role_type = "oidc"
oidc_scopes = ["openid", "profile", "email", "groups"]
allowed_redirect_uris = [
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
]
}
# Default role - any authenticated user (limited access)
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.oidc.path
role_name = "default"
token_policies = ["oidc-default"]
user_claim = "preferred_username"
groups_claim = "groups"
role_type = "oidc"
oidc_scopes = ["openid", "profile", "email", "groups"]
allowed_redirect_uris = [
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
]
}
Reference in New Issue View Git Blame Copy Permalink