Configure the OIDC authentication method

To configure the OIDC authentication method in HashiCorp Vault, you can Use a CLI command or Use the API . For the API method, you can use either HCP Vault Dedicated or HCP Vault.

Use a CLI command

This configuration uses the default oidc mount path. If you've created a custom path (for example, okta-oidc), then you need to update the path variable for the integration in Okta.

  1. Run this command to make OIDC the default authentication method:#!/bin/bash vault auth enable oidc
  2. Run this command to create a role named vault-role-okta-default:#!/bin/bash vault write auth/oidc/role/vault-role-okta-default \ bound_audiences="$OKTA_CLIENT_ID" \ allowed_redirect_uris="$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="http://localhost:8250/oidc/callback" \ user_claim="sub" \ token_policies="default"
  3. Run this command to configure the OIDC authentication method:#!/bin/bash vault write auth/oidc/config \ oidc_discovery_url="https://$OKTA_DOMAIN" \ oidc_client_id="$OKTA_CLIENT_ID" \ oidc_client_secret="$OKTA_CLIENT_SECRET" \ default_role="vault-role-okta-default"

    In HCP Vault, the oidc_discovery_url, oidc_client_id, and oidc_client_secret are set to the variables that you configured in the previous section.

  4. Run this command to view the enabled authentication methods:#!/bin/bash vault auth list

Use the API

Complete these steps in either HCP Vault Dedicated or HCP Vault.

HCP Vault Dedicated

  1. Send a request that enables the OIDC authentication method at the sys/auth/oidc endpoint:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST \ --data '{"type": "oidc"}' \ $VAULT_ADDR/v1/sys/auth/oidc
  2. Send a request that contains the vault-role-okta-default role definition:#!/bin/bash tee vault-role-okta-default.json <<EOF { "bound_audiences": "$OKTA_CLIENT_ID", "allowed_redirect_uris": [ "$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback" ], "user_claim": "sub", "token_policies": ["default"] } EOF

    The allowed_redirect_uris in the request use the callback URLs that you defined in the previous section. The user_claim tells the app how to identify each unique user. See OpenID Connect and OAuth 2.0 for more information.

  3. Send a request to set up the vault-role-okta-admin role: curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST \ --data @vault-role-okta-default.json \ $VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-default
  4. Send a request that contains the OIDC configuration definition:tee oidc_config.json <<EOF { "oidc_discovery_url": "https://$OKTA_DOMAIN", "oidc_client_id": "$OKTA_CLIENT_ID", "oidc_client_secret": "$OKTA_CLIENT_SECRET", "default_role": "vault-role-okta-default" } EOF In HCP Vault, the oidc_discovery_url, oidc_client_id, and oidc_client_secret are set to the variables that you configured in the previous section. Also, the default_role is set to vault-role-okta-default.
  5. Send a request that enables the OIDC authentication method:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST \ --data @oidc_config.json \ $VAULT_ADDR/v1/auth/oidc/config

HCP Vault

  1. Send a request that enables the OIDC authentication method at the auth/oidc endpoint:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data '{"type": "oidc"}' \ $VAULT_ADDR/v1/sys/auth/oidc
  2. Send a request that contains the vault-role-okta-default role definition.#!/bin/bash tee vault-role-okta-default.json <<EOF { "bound_audiences": "$OKTA_CLIENT_ID", "allowed_redirect_uris": [ "$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback" ], "user_claim": "sub", "token_policies": ["default"] } EOF
  3. Send a request that creates the vault-role-okta-default role: curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @vault-role-okta-default.json \ $VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-default
  4. Send a request that contains the definition of the OIDC configuration:#!/bin/bash tee oidc_config.json <<EOF { "oidc_discovery_url": "https://$OKTA_DOMAIN", "oidc_client_id": "$OKTA_CLIENT_ID", "oidc_client_secret": "$OKTA_CLIENT_SECRET", "default_role": "vault-role-okta-default"} EOF
  5. Send a request that enables the OIDC authentication method: curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @oidc_config.json \ $VAULT_ADDR/v1/auth/oidc/config

Next step

Configure groups and policies