时间戳

首页 > 解决方案 > Hashicorp Vault 错误“组”,在令牌中找不到声明

hashicorp-vault - Hashicorp Vault 错误“组”,在令牌中找不到声明

问题描述

我正在尝试在 Hashicorp Vault 中使用 Azure AD 配置 OIDC 登录,但出现此错误:

"groups," claim not found in token

它发生在我尝试使用组应用一项策略时。使用默认组(读者组)它可以工作

这是我所做的所有步骤:

策略配置:

vault policy write manager manager.hcl

manager.hcl 的内容:

path "/secret/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

vault policy write reader reader.hcl

reader.hcl 的内容:

path "/secret/*" {
    capabilities = ["read", "list"]
}

激活 OIDC:

vault auth enable oidc

vault write auth/oidc/config \
        oidc_discovery_url="https://login.microsoftonline.com/{my-tenant-id}/v2.0" \
        oidc_client_id="{my-client-id}" \
        oidc_client_secret="{my-client-secret}" \
        default_role="reader"

vault write auth/oidc/role/reader \
        bound_audiences="{my-client-id}" \
        allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="email" \
        policies="reader" \
        verbose_oidc_logging="true"

然后登录vault login -method=oidc

使用上述命令,我可以登录。

当我更改角色以匹配 OIDC 组时出现问题(遵循此文档https://learn.hashicorp.com/vault/identity-access-management/oidc-auth#cli-command-3):

vault write auth/oidc/role/manager \
        bound_audiences="{my-client-id}" \
        allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="email" \
        groups_claim="groups", \
        policies="manager" \
        verbose_oidc_logging="true" \
        oidc_scopes="https://graph.microsoft.com/.default"

vault write identity/group name="manager" type="external" \
        policies="manager" \
        metadata=responsibility="Manager"

vault write identity/group-alias name="{my-group-hash-1}" \
        mount_accessor={id-of-oidc-config} \
        canonical_id="{group-id-from-above-command}"

然后当我尝试登录时出现错误 "groups," claim not found in token 当我将令牌放入 jwt.io 调试器时,有一个这样的组列表:

  "groups": [
    "my-group-hash-1",
    "my-group-hash-2",
    ...
  ],

如何解决此问题以根据令牌中的组定义策略?保险柜版本是 1.4.2

标签: hashicorp-vault

解决方案

在这个命令中:

vault write auth/oidc/role/manager \
        bound_audiences="{my-client-id}" \
        allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="email" \
        groups_claim="groups", \   # <----- You have a comma here
        policies="manager" \
        verbose_oidc_logging="true" \
        oidc_scopes="https://graph.microsoft.com/.default"

groups_claim你在论点上有一个额外的逗号。删除逗号,它应该可以解决您的问题。

推荐阅读