New Vault OSS Now Includes Multi-factor Authentication! Learn more
  • Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.10.x (latest)
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • What is Vault?
  • Use Cases
    • CLI Quick Start
    • HCP Quick Start
    • Developer Quick Start

  • Browser Support
  • Installing Vault
    • Overview
    • Architecture
    • High Availability
    • Integrated Storage
    • Security Model
    • Telemetry
    • Token Authentication
    • Key Rotation
    • Replication
    • Limits and Maximums
    • Overview
    • 'Dev' Server
    • Seal/Unseal
    • Namespace API Lock
    • Lease, Renew, and Revoke
    • Authentication
    • Tokens
    • Identity
    • OIDC Provider
    • Response Wrapping
    • Policies
    • Password Policies
    • Username Templating
    • High Availability
    • Storage
      • Overview
      • Autopilot
    • PGP, GnuPG, and Keybase
    • Recovery Mode
    • Resource Quotas
      • Overview
      • FAQ
    • Transform
    • Mount Migration
    • Overview
      • Overview
      • TCP
    • replication
      • Overview
      • AliCloud KMS
      • AWS KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • HSM PKCS11 ENT
      • Vault Transit
    • sentinel
      • Overview
      • Consul
      • Kubernetes
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation ENT
    • kms_library ENT
    • Overview
    • agent
      • Overview
      • disable
      • enable
      • list
      • Overview
      • disable
      • enable
      • help
      • list
      • move
      • tune
    • debug
    • delete
      • Overview
      • delete
      • destroy
      • enable-versioning
      • get
      • list
      • metadata
      • patch
      • put
      • rollback
      • undelete
      • Overview
      • lookup
      • renew
      • revoke
      • Overview
      • get
      • inspect
    • list
    • login
    • monitor
    • namespace
      • Overview
      • diagnose
      • generate-root
      • init
      • key-status
      • members
      • migrate
      • raft
      • rekey
      • rotate
      • seal
      • step-down
      • unseal
      • usage
    • path-help
      • Overview
      • deregister
      • info
      • list
      • register
      • reload
      • Overview
      • delete
      • fmt
      • list
      • read
      • write
    • read
      • Overview
      • disable
      • enable
      • list
      • move
      • tune
    • server
    • ssh
    • status
      • Overview
      • capabilities
      • create
      • lookup
      • renew
      • revoke
    • unwrap
    • version
    • version-history
    • write
    • Token Helpers
    • Overview
      • Overview
        • Overview
        • AliCloud
        • AppRole
        • AWS
        • Azure
        • Cert
        • CF
        • GCP
        • JWT
        • Kerberos
        • Kubernetes
        • Overview
        • File
      • Overview
        • Overview
        • Kubernetes
    • Templates
    • Windows service

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • HanaDB
      • IBM Db2
      • InfluxDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
      • Custom
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
    • KMIP ENTERPRISE
      • Overview
      • K/V Version 1
      • K/V Version 2
      • Overview
      • Identity Tokens
      • OIDC Identity Provider
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
    • PKI (Certificates)
    • RabbitMQ
      • Overview
      • Signed Certificates
      • SSH OTP
      • Dynamic Key
    • Terraform Cloud
    • TOTP
      • Overview
      • FF3-1 Tweak Usage
      • Tokenization Transform ENTERPRISE
    • Transit
    • Venafi (Certificates)
    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
      • OIDC Providers
    • Kerberos
    • Kubernetes
    • LDAP
      • Overview
      • FAQ
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID DEPRECATED
    • MFA LEGACY / UNSUPPORTED
    • Overview
    • File
    • Syslog
    • Socket
    • Overview
    • Plugin Architecture
    • Plugin Development
    • Plugin Management
    • Plugin Portal
  • Vault Integration Program
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager
        • Overview
        • Annotations
        • Installation
        • Examples
        • Overview
        • Installation
        • Configurations
        • Examples
      • Overview
      • Vault Lambda Extension
      • Running Vault
      • Overview
      • Installation
      • Configuration
      • Troubleshooting
      • Overview
      • Installation
      • Troubleshooting

    • Overview
    • Upgrade Plugins
    • Upgrade to 1.10.x
    • Upgrade to 1.9.x
    • Upgrade to 1.8.x
    • Upgrade to 1.7.x
    • Upgrade to 1.6.3
    • Upgrade to 1.6.2
    • Upgrade to 1.6.1
    • Upgrade to 1.6.0
    • Upgrade to 1.5.3
    • Upgrade to 1.5.2
    • Upgrade to 1.5.1
    • Upgrade to 1.5.0
    • Upgrade to 1.4.6
    • Upgrade to 1.4.5
    • Upgrade to 1.4.4
    • Upgrade to 1.4.1
    • Upgrade to 1.4.0
    • Upgrade to 1.3.10
    • Upgrade to 1.3.9
    • Upgrade to 1.3.8
    • Upgrade to 1.3.5
    • Upgrade to 1.3.4
    • Upgrade to 1.3.3
    • Upgrade to 1.3.2
    • Upgrade to 1.3.0
    • Upgrade to 1.2.7
    • Upgrade to 1.2.6
    • Upgrade to 1.2.5
    • Upgrade to 1.2.4
    • Upgrade to 1.2.1
    • Upgrade to 1.2.0
    • Upgrade to 1.1.2
    • Upgrade to 1.1.1
    • Upgrade to 1.1.0
    • Upgrade to 1.0.0
    • Upgrade to 0.11.6
    • Upgrade to 0.11.2
    • Upgrade to 0.11.0
    • Upgrade to 0.10.4
    • Upgrade to 0.10.2
    • Upgrade to 0.10.0
    • Upgrade to 0.9.6
    • Upgrade to 0.9.3
    • Upgrade to 0.9.2
    • Upgrade to 0.9.1
    • Upgrade to 0.9.0
    • Upgrade to 0.8.0
    • Upgrade to 0.7.0
    • Upgrade to 0.6.4
    • Upgrade to 0.6.3
    • Upgrade to 0.6.2
    • Upgrade to 0.6.1
    • Upgrade to 0.6.0
    • Upgrade to 0.5.1
    • Upgrade to 0.5.0

    • Overview
    • 1.10.0
    • 1.9.0
    • 1.8.0
    • 1.7.0
    • 1.6.0
    • 1.5.0

    • Overview
    • FAQ

    • Overview
    • Feature Deprecation Notice and Plans
    • License
    • Client Count
    • Login MFA
    • Server Side Consistent Token

  • Glossary

    • Overview
      • Overview
      • Autoloading
      • FAQ
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Lease Count Quotas
    • Entropy Augmentation
    • Seal Wrap / FIPS 140-2
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
      • Overview
      • Duo MFA
      • Okta MFA
      • PingID MFA
      • TOTP MFA
      • Overview
      • Examples
      • Properties
    • HCP Vault
Type '/' to Search

»OIDC Identity Provider

Vault is an OpenID Connect (OIDC) identity provider. This enables client applications that speak the OIDC protocol to leverage Vault's source of identity and wide range of authentication methods when authenticating end-users. Client applications can configure their authentication logic to talk to Vault. Once enabled, Vault will act as the bridge to other identity providers via its existing authentication methods. Client applications can also obtain identity information for their end-users by leveraging custom templating of Vault identity information.

Note: For more detailed information on the configuration resources and OIDC endpoints, please visit the OIDC provider concepts page.

»Setup

The Vault OIDC provider system is built on top of the identity secrets engine. This secrets engine is mounted by default and cannot be disabled or moved.

Each Vault namespace has a default OIDC provider and key. This built-in configuration enables client applications to begin using Vault as a source of identity with minimal configuration. For details on the built-in configuration and advanced options, see the OIDC provider concepts page.

The following steps show a minimal configuration that allows a client application to use Vault as an OIDC provider.

  1. Enable a Vault auth method:

    $ vault auth enable userpass
    Success! Enabled userpass auth method at: userpass/
    
    $ vault auth enable userpass
    Success! Enabled userpass auth method at: userpass/
    

Any Vault auth method may be used within the OIDC flow. For simplicity, enable the userpass auth method.

  1. Create a user:

    $ vault write auth/userpass/users/end-user password="securepassword"
    Success! Data written to: auth/userpass/users/end-user
    
    $ vault write auth/userpass/users/end-user password="securepassword"
    Success! Data written to: auth/userpass/users/end-user
    

    This user will authenticate to Vault through a client application, otherwise known as an OIDC relying party.

  2. Create a client application:

    $ vault write identity/oidc/client/my-webapp \
      redirect_uris="https://localhost:9702/auth/oidc-callback" \
      assignments="allow_all"
    Success! Data written to: identity/oidc/client/my-webapp
    
    $ vault write identity/oidc/client/my-webapp \
      redirect_uris="https://localhost:9702/auth/oidc-callback" \
      assignments="allow_all"
    Success! Data written to: identity/oidc/client/my-webapp
    

    This operation creates a client application which can be used to configure an OIDC relying party. See the client applications section for details on different client types, including confidential and public clients.

    The assignments parameter limits the Vault entities and groups that are allowed to authenticate through the client application. By default, no Vault entities are allowed. To allow all Vault entities to authenticate, the built-in allow_all assignment is provided.

  3. Read client credentials:

    $ vault read identity/oidc/client/my-webapp
    
    Key                 Value
    ---                 -----
    access_token_ttl    24h
    assignments         [allow_all]
    client_id           GSDTnn3KaOrLpNlVGlYLS9TVsZgOTweO
    client_secret       hvo_secret_gBKHcTP58C4aq7FqPWsuqKgpiiegd7ahpifGae9WGkHRCwFEJTZA9KGdNVpzE0r8
    client_type         confidential
    id_token_ttl        24h
    key                 default
    redirect_uris       [https://localhost:9702/auth/oidc-callback]
    
    $ vault read identity/oidc/client/my-webapp
    
    Key                 Value
    ---                 -----
    access_token_ttl    24h
    assignments         [allow_all]
    client_id           GSDTnn3KaOrLpNlVGlYLS9TVsZgOTweO
    client_secret       hvo_secret_gBKHcTP58C4aq7FqPWsuqKgpiiegd7ahpifGae9WGkHRCwFEJTZA9KGdNVpzE0r8
    client_type         confidential
    id_token_ttl        24h
    key                 default
    redirect_uris       [https://localhost:9702/auth/oidc-callback]
    

    The client_id and client_secret are the client application's credentials. These values are typically required when configuring an OIDC relying party.

  4. Read OIDC discovery configuration:

    $ curl -s http://127.0.0.1:8200/v1/identity/oidc/provider/default/.well-known/openid-configuration
    {
      "issuer": "http://127.0.0.1:8200/v1/identity/oidc/provider/default",
      "jwks_uri": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/.well-known/keys",
      "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/default/authorize",
      "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/token",
      "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/userinfo",
      "request_uri_parameter_supported": false,
      "id_token_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "EdDSA"
      ],
      "response_types_supported": [
        "code"
      ],
      "scopes_supported": [
        "openid"
      ],
      "subject_types_supported": [
        "public"
      ],
      "grant_types_supported": [
        "authorization_code"
      ],
      "token_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic"
      ]
    }
    
    $ curl -s http://127.0.0.1:8200/v1/identity/oidc/provider/default/.well-known/openid-configuration
    {
      "issuer": "http://127.0.0.1:8200/v1/identity/oidc/provider/default",
      "jwks_uri": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/.well-known/keys",
      "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/default/authorize",
      "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/token",
      "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/userinfo",
      "request_uri_parameter_supported": false,
      "id_token_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "EdDSA"
      ],
      "response_types_supported": [
        "code"
      ],
      "scopes_supported": [
        "openid"
      ],
      "subject_types_supported": [
        "public"
      ],
      "grant_types_supported": [
        "authorization_code"
      ],
      "token_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic"
      ]
    }
    

    Each Vault OIDC provider publishes discovery metadata. The issuer value is typically required when configuring an OIDC relying party.

»Usage

After configuring a Vault auth method and client application, the following details can be used to configure an OIDC relying party to delegate end-user authentication to Vault.

  • client_id - The ID of the client application
  • client_secret - The secret of the client application
  • issuer - The issuer of the Vault OIDC provider

A number of HashiCorp products provide OIDC authentication methods. This means that they can leverage Vault as a source of identity using the OIDC protocol. See the following links for details on configuring OIDC authentication for other HashiCorp products:

  • Boundary
  • Consul
  • Waypoint

Otherwise, refer to the documentation of the specific OIDC relying party for usage details.

»Supported Flows

The Vault OIDC provider feature currently supports the following authentication flow:

  • Authorization Code Flow.

»Tutorial

Refer to the Vault as an OIDC Identity Provider tutorial to learn how to configure a HashiCorp Boundary to leverage Vault as a source of identity using the OIDC protocol.

»API

The Vault OIDC provider feature has a full HTTP API. Please see the OIDC identity provider API for more details.

github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager