JWT/OIDCΒΆ

Note

The hvac.api.auth_methods.JWT and hvac.api.auth_methods.OIDC share all the same methods. They only differ in the default path their methods will use. I.e., v1/auth/jwt versus v1/auth/oidc.

EnablingΒΆ

import hvac
client = hvac.Client()

# For JWT
client.sys.enable_auth_method(
    method_type='jwt',
)

# For OIDC
client.sys.enable_auth_method(
    method_type='oidc',
)

ConfigureΒΆ

hvac.api.auth_methods.JWT.configure()

import hvac
client = hvac.Client()

client.auth.jwt.configure(
    oidc_discovery_url=oidc_discovery_url,
    oidc_discovery_ca_pem=some_ca_file_contents,
)

# or

client.auth.oidc.configure(
    oidc_discovery_url=oidc_discovery_url,
    oidc_discovery_ca_pem=some_ca_file_contents,
)

Read ConfigΒΆ

hvac.api.auth_methods.JWT.read_config()

import hvac
client = hvac.Client()

read_response = client.auth.jwt.read_config()
# or
read_response = client.auth.oidc.read_config()

discovery_url = read_response['data']['oidc_discovery_url']
print('Current OIDC discovery URL is set to: %s' % discovery_url)

Create RoleΒΆ

hvac.api.auth_methods.JWT.create_role()

import hvac
client = hvac.Client()

role_name = 'hvac'
allowed_redirect_uris = ['https://localhost:8200/jwt-test/callback']
user_claim = 'https://vault/user'

# JWT
client.auth.jwt.create_role(
    name=role_name,
    role_type='jwt',
    allowed_redirect_uris=allowed_redirect_uris,
    user_claim='sub',
    bound_audiences=['12345'],
)

# OIDC
client.auth.oidc.create_role(
    name=role_name,
    allowed_redirect_uris=allowed_redirect_uris,
    user_claim=user_claim,
)

Read RoleΒΆ

hvac.api.auth_methods.JWT.read_role()

import hvac
client = hvac.Client()

response = client.auth.jwt.read_role(
    name='hvac',
)
print('hvac role has a user_claim setting of: %s' % response['data']['user_claim'])

List RolesΒΆ

hvac.api.auth_methods.JWT.list_roles()

import hvac
client = hvac.Client()

list_resp = client.auth.jwt.list_roles()
print('Configured roles: %s' % ', '.join(list_resp['data']['keys']))

Delete RoleΒΆ

hvac.api.auth_methods.JWT.delete_role()

import hvac
client = hvac.Client()

client.auth.jwt.delete_role(
    name='hvac',
)

OIDC Authorization URL RequestΒΆ

hvac.api.auth_methods.JWT.oidc_authorization_url_request()

import webbrowser
import http.server
import hvac
client = hvac.Client()

auth_url_response = client.auth.oidc.oidc_authorization_url_request(
    role='hvac',
    redirect_uri='http://localhost:8250/oidc/callback'
)
auth_url = auth_url_response['data']['auth_url']
if auth_url == '':
    return None

params = parse.parse_qs(auth_url.split('?')[1])
auth_url_nonce = params['nonce'][0]
auth_url_state = params['state'][0]

webbrowser.open(auth_url)
token = login_odic_get_token()

auth_result = client.auth.oidc.oidc_callback(
    code=token, path='oidc', nonce=auth_url_nonce, state=auth_url_state
)

print('Client token returned: %s' % auth_result['auth']['client_token'])

# handles the callback
def login_odic_get_token(self):
    from http.server import BaseHTTPRequestHandler, HTTPServer

    class HttpServ(HTTPServer):
        def __init__(self, *args, **kwargs):
            HTTPServer.__init__(self, *args, **kwargs)
            self.token = None

    class AuthHandler(BaseHTTPRequestHandler):
        token = ''

        def do_GET(self):
            params = parse.parse_qs(self.path.split('?')[1])
            self.server.token = params['code'][0]
            self.send_response(200)
            self.end_headers()
            self.wfile.write(str.encode('<div>Authentication successful, you can close the browser now.</div>'))

    server_address = ('', 8250)
    httpd = HttpServ(server_address, AuthHandler)
    httpd.handle_request()
    return httpd.token

JWT LoginΒΆ

hvac.api.auth_methods.JWT.jwt_login()

import hvac
client = hvac.Client()

response = client.auth.jwt.jwt_login(
    role=role_name,
    jwt=generate_token_response['data']['token'],
)
print('Client token returned: %s' % response['auth']['client_token'])