Configure the OIDC authentication method

To configure the OIDC authentication method in HashiCorp Vault, you can Use a CLI command or Use the API. For the API method, you can use either HCP Vault Dedicated or HCP Vault.

Use a CLI command

This configuration uses the default oidc mount path. If you've created a custom path (for example, okta-oidc), then you need to update the path variable for the integration in Okta.

  1. Run this command to make OIDC the default authentication method:
    #!/bin/bash 
vault auth enable oidc
  2. Run this command to create a role named vault-role-okta-default:
    #!/bin/bash 
vault write auth/oidc/role/vault-role-okta-default \
	bound_audiences="$OKTA_CLIENT_ID" \
	allowed_redirect_uris="$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback" \
	allowed_redirect_uris="http://localhost:8250/oidc/callback" \
	user_claim="sub" \
	token_policies="default"
  3. Run this command to configure the OIDC authentication method:
    #!/bin/bash 
vault write auth/oidc/config \
	oidc_discovery_url="https://$OKTA_DOMAIN" \
	oidc_client_id="$OKTA_CLIENT_ID" \
	oidc_client_secret="$OKTA_CLIENT_SECRET" \
	default_role="vault-role-okta-default"

    In HCP Vault, the oidc_discovery_url, oidc_client_id, and oidc_client_secret are set to the variables that you configured in the previous section.

  4. Run this command to view the enabled authentication methods:
    #!/bin/bash 
vault auth list

Use the API

Complete these steps in either HCP Vault Dedicated or HCP Vault.

HCP Vault Dedicated

  1. Send a request that enables the OIDC authentication method at the sys/auth/oidc endpoint:
    curl --header "X-Vault-Token: $VAULT_TOKEN" \
	--header "X-Vault-Namespace: $VAULT_NAMESPACE" \
	--request POST \
	--data '{"type": "oidc"}' \
	$VAULT_ADDR/v1/sys/auth/oidc
  2. Send a request that contains the vault-role-okta-default role definition:
    #!/bin/bash 
tee vault-role-okta-default.json <<EOF
{
	"bound_audiences": "$OKTA_CLIENT_ID",
	"allowed_redirect_uris": [
		"$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback",
		"http://localhost:8250/oidc/callback"
	],
	"user_claim": "sub",
	"token_policies": ["default"]
}
EOF

    The allowed_redirect_uris in the request use the callback URLs that you defined in the previous section. The user_claim tells the app how to identify each unique user. See OpenID Connect and OAuth 2.0 for more information.

  3. Send a request to set up the vault-role-okta-admin role: 
    curl --header "X-Vault-Token: $VAULT_TOKEN" \
	--header "X-Vault-Namespace: $VAULT_NAMESPACE" \
	--request POST \
	--data @vault-role-okta-default.json \
	$VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-default
  4. Send a request that contains the OIDC configuration definition:
    tee oidc_config.json <<EOF
{
	"oidc_discovery_url": "https://$OKTA_DOMAIN",
	"oidc_client_id": "$OKTA_CLIENT_ID",
	"oidc_client_secret": "$OKTA_CLIENT_SECRET",
	"default_role": "vault-role-okta-default"
}
EOF
    In HCP Vault, the oidc_discovery_url, oidc_client_id, and oidc_client_secret are set to the variables that you configured in the previous section. Also, the default_role is set to vault-role-okta-default.
  5. Send a request that enables the OIDC authentication method:
    curl --header "X-Vault-Token: $VAULT_TOKEN" \
	--header "X-Vault-Namespace: $VAULT_NAMESPACE" \
	--request POST \
	--data @oidc_config.json \
			$VAULT_ADDR/v1/auth/oidc/config

HCP Vault

  1. Send a request that enables the OIDC authentication method at the auth/oidc endpoint:
    curl --header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data '{"type": "oidc"}' \
	$VAULT_ADDR/v1/sys/auth/oidc
  2. Send a request that contains the vault-role-okta-default role definition.
    #!/bin/bash
tee vault-role-okta-default.json <<EOF
{
	"bound_audiences": "$OKTA_CLIENT_ID",
	"allowed_redirect_uris": [
	"$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback",
	"http://localhost:8250/oidc/callback"
	],
	"user_claim": "sub",
	"token_policies": ["default"]
}
EOF
  3. Send a request that creates the vault-role-okta-default role: 
    curl --header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @vault-role-okta-default.json \
	$VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-default
  4. Send a request that contains the definition of the OIDC configuration:
    #!/bin/bash
tee oidc_config.json <<EOF
{
	"oidc_discovery_url": "https://$OKTA_DOMAIN",
	"oidc_client_id": "$OKTA_CLIENT_ID",
	"oidc_client_secret": "$OKTA_CLIENT_SECRET",
	"default_role": "vault-role-okta-default"}
EOF
  5. Send a request that enables the OIDC authentication method: 
    curl --header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @oidc_config.json \
	$VAULT_ADDR/v1/auth/oidc/config

Next step

Configure groups and policies