JWT/OIDCΒΆ
Contents
Note
The hvac.api.auth_methods.JWT
and hvac.api.auth_methods.OIDC
share all the same methods.
They only differ in the default path their methods will use. I.e., v1/auth/jwt versus v1/auth/oidc.
EnablingΒΆ
import hvac
client = hvac.Client()
# For JWT
client.sys.enable_auth_method(
method_type='jwt',
)
# For OIDC
client.sys.enable_auth_method(
method_type='oidc',
)
ConfigureΒΆ
hvac.api.auth_methods.JWT.configure()
import hvac
client = hvac.Client()
client.auth.jwt.configure(
oidc_discovery_url=oidc_discovery_url,
oidc_discovery_ca_pem=some_ca_file_contents,
)
# or
client.auth.oidc.configure(
oidc_discovery_url=oidc_discovery_url,
oidc_discovery_ca_pem=some_ca_file_contents,
)
Read ConfigΒΆ
hvac.api.auth_methods.JWT.read_config()
import hvac
client = hvac.Client()
read_response = client.auth.jwt.read_config()
# or
read_response = client.auth.oidc.read_config()
discovery_url = read_response['data']['oidc_discovery_url']
print('Current OIDC discovery URL is set to: %s' % discovery_url)
Create RoleΒΆ
hvac.api.auth_methods.JWT.create_role()
import hvac
client = hvac.Client()
role_name = 'hvac'
allowed_redirect_uris = ['https://localhost:8200/jwt-test/callback']
user_claim = 'https://vault/user'
# JWT
client.auth.jwt.create_role(
name=role_name,
role_type='jwt',
allowed_redirect_uris=allowed_redirect_uris,
user_claim='sub',
bound_audiences=['12345'],
)
# OIDC
client.auth.oidc.create_role(
name=role_name,
allowed_redirect_uris=allowed_redirect_uris,
user_claim=user_claim,
)
Read RoleΒΆ
hvac.api.auth_methods.JWT.read_role()
import hvac
client = hvac.Client()
response = client.auth.jwt.read_role(
name='hvac',
)
print('hvac role has a user_claim setting of: %s' % response['data']['user_claim'])
List RolesΒΆ
hvac.api.auth_methods.JWT.list_roles()
import hvac
client = hvac.Client()
list_resp = client.auth.jwt.list_roles()
print('Configured roles: %s' % ', '.join(list_resp['data']['keys']))
Delete RoleΒΆ
hvac.api.auth_methods.JWT.delete_role()
import hvac
client = hvac.Client()
client.auth.jwt.delete_role(
name='hvac',
)
OIDC Authorization URL RequestΒΆ
hvac.api.auth_methods.JWT.oidc_authorization_url_request()
import webbrowser
import http.server
import hvac
client = hvac.Client()
auth_url_response = client.auth.oidc.oidc_authorization_url_request(
role='hvac',
redirect_uri='http://localhost:8250/oidc/callback'
)
auth_url = auth_url_response['data']['auth_url']
if auth_url == '':
return None
params = parse.parse_qs(auth_url.split('?')[1])
auth_url_nonce = params['nonce'][0]
auth_url_state = params['state'][0]
webbrowser.open(auth_url)
token = login_odic_get_token()
auth_result = client.auth.oidc.oidc_callback(
code=token, path='oidc', nonce=auth_url_nonce, state=auth_url_state
)
print('Client token returned: %s' % auth_result['auth']['client_token'])
# handles the callback
def login_odic_get_token(self):
from http.server import BaseHTTPRequestHandler, HTTPServer
class HttpServ(HTTPServer):
def __init__(self, *args, **kwargs):
HTTPServer.__init__(self, *args, **kwargs)
self.token = None
class AuthHandler(BaseHTTPRequestHandler):
token = ''
def do_GET(self):
params = parse.parse_qs(self.path.split('?')[1])
self.server.token = params['code'][0]
self.send_response(200)
self.end_headers()
self.wfile.write(str.encode('<div>Authentication successful, you can close the browser now.</div>'))
server_address = ('', 8250)
httpd = HttpServ(server_address, AuthHandler)
httpd.handle_request()
return httpd.token
JWT LoginΒΆ
hvac.api.auth_methods.JWT.jwt_login()
import hvac
client = hvac.Client()
response = client.auth.jwt.jwt_login(
role=role_name,
jwt=generate_token_response['data']['token'],
)
print('Client token returned: %s' % response['auth']['client_token'])