Reputation: 951
How or Where Can I Access My Vault OIDC Logs and JWT Claim Metadata
I have set up a local instance of HashiCorp Vault (Enterprise edition) to test an implementation of Vault and Azure AD Single Sign-On with OIDC. I am using Terraform to provision and configure my OIDC components in Visual Studio Code, but have run into an error (see below) relating to my token claim.
How or where can I access my oidc jwt claim metadata to verify some of its entries? I have even set the verbose_oidc_logging = true in my vault_jwt_auth_backend_role configuration but can't figure out where I can access the log.
Below is the full snippet of vault_jwt_auth_backend_role configuration.
resource "vault_jwt_auth_backend_role" "azure" {
role_name = var.azure_role_name
backend = vault_jwt_auth_backend.root.path
user_claim = "email"
groups_claim = "groups"
bound_claims = { "groups": "VaultAdmins" }
role_type = "oidc"
oidc_scopes = var.oidc_scopes
allowed_redirect_uris = var.allowed_redirect_uris
verbose_oidc_logging = "true"
}
Upvotes: 1
Views: 1527
Answers (1)
Reputation: 2040
How you access the tokens will depend on which flow the app is using.
If it's an implicit flow, you should be able to see the tokens in the payload of the HTTP request during sign-on.
If it's an authorization code flow (likely), you can use Postman to form a request, and you'll need a few values from the Azure AD app registration for your app.
| Parameter | Description |
|---|---|
tenant_Id |
Azure AD tenant ID |
client_Id |
Azure AD application (client) ID |
client_secret |
Client secret created for your app |
redirect_url |
The redirect URL where the token is being sent |
scopes |
The API permissions the app is requesting |
Obtain authorization code
Use the above info to form a link to login to your application, the link should be URL encoded.
https://login.microsoftonline.com/{tenant_Id}/oauth2/v2.0/authorize?client_id={client_id}&redirect_uri={redirect_url}&response_type=code&response_mode=query&scope={scopes}&state=12345
Example
https://login.microsoftonline.com/abcde123-a123-1a23-b9a9-123a456bcd7d/oauth2/v2.0/authorize?response_type=code&redirect_uri=https%3A%2F%2Fapplication.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=a1bcde23-a12b-1234-1a2b-1a23456b78cd&scope=openid%20profile%20email&response_mode=query&state=12345
Open a browser window with the developer tools open, and login to your app using the link. After Azure AD successfully authenticates you, you should see a request with a code in the payload. This is the authorization code that will be used to exchange for your tokens. Copy this value.
Make a Postman call
Method POST
URL
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Headers
| Key | Value |
|---|---|
| Content-Type | application/x-www-form-urlencoded |
Body
| Key | Value |
|---|---|
| client_id | client_id |
| client_secret | client_secret |
| code | code |
| grant_type | authorization_code |
| redirect_url | redirect_url |
| scope | scopes |
Result
You can see the access token and the ID token in the request body
Upvotes: 2
Related Questions
- Vault - How can I get list of secrets by API request
- How to access hashi corp vault secret in kubernetes
- Terraform - Enable OIDC on HashiCorp Vault child namespace
- Use Azure Key Vault to get secrets
- How do you enable Azure Key Vault logging using Terraform 11.14?
- Hashicorp Terraform - Storing Azure Storage account access key in Azure Key Vault
- Get secrets in Azure Key vault from api management?
- how to retrieve secrets from azure vault using java 5?
- Get oauth token for Azure Key Vault
- Unable to find logs for users access to credentials for the Key Vault