CODEWITHSUNDEEP
keycloakhashicorp-vault
Phil Chae
Phil Chae

Reputation: 1136

Keycloak and Vault Integration with Client Role

I am trying to integrate Keycloak with Vault. I have 2 Vault policies (Admin, Dev). I want to use a path 'keycloak', and have done $ vault auth enable -path=keycloak oidc.

The problem I want to solve, is to map Vault Policy with the Keycloak Client Role.

$ vault write auth/keycloak/config \
  oidc_discovery_url="https://$KEYCLOAK_ADDRESS/auth/realms/master" \
  oidc_client_id="vault" \
  oidc_client_secret=${CLIENT_SECRET} \
  default_role="admin" type="oidc"

$ vault write auth/keycloak/role/admin \
    bound_audiences="vault" \
    allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="https://localhost:8250/oidc/callback" \
    user_claim="sub" \
    policies="admin" \
    ttl=4h \
    role_type="oidc" \
    oidc_scopes="openid"

$ vault write auth/keycloak/role/dev \
    bound_audiences="vault" \
    allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="https://localhost:8250/oidc/callback" \
    user_claim="sub" \
    policies="dev" \
    ttl=4h \
    role_type="oidc" \
    oidc_scopes="openid"

I want admin and dev roles in Vault bound to "vault" client in Keycloak. However, according to the group that the user is bounded to, I want the user to have different policy. (Both login via console with vault login -method=oidc keycloak)

Have any ideas? The solution I have in mind is to make 2 different client. However, I want only 1 client 'vault'. Can this be achieved?

Upvotes: 3

Views: 3342

Answers (1)

Illya Korg
Illya Korg

Reputation: 46

Go to your client, then go to Mappers tab, then press Add Builtin Add Builtin

Then find groups in search and add it enter image description here

After this in your jwt token payload will appear groups section

Then configure groups_claim in your vault oidc configuration

$ vault write auth/keycloak/role/admin \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="admin" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid" \
groups_claim="groups"

$ vault write auth/keycloak/role/dev \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="dev" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid" \
groups_claim="groups"

Upvotes: 1

Related Questions