Skip to content

mikegreen/vault-okta-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
example.auto.tfvars
example.auto.tfvars
 
 
main.tf
main.tf
 
 
policies.tf
policies.tf
 
 
providers.tf
providers.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

vault-okta-demo

Prerequisites

  1. Define variables from the example example.auto.tfvars file
  2. Okta developer (https://developer.okta.com) or corporate account
  3. Okta API token - from https://dev-123456-admin.okta.com/admin/access/api/tokens
  4. Vault running (dev mode is fine)
  5. Vault's address in the vault_addr TF variable. This is needed even if the environment variable VAULT_ADDR is set, as we need to use it for the URLs
  6. Vault token in env var VAULT_TOKEN (recommended) or in variable+providers.tf
  7. For testing, users in Okta, and assigned to the groups once created
  8. In Okta, Directory -> Groups -> vault-admins and vault-devs

Running

  1. Do the prereq's above
  2. terraform apply
  3. Assign one of your users to the vault-admins and vault-devs groups
  4. Test by running $ vault login -method=oidc -path=okta_oidc role=okta_admin This will open your browser to login with the Okta user assigned to your new vault-admins/vault-devs group, and return a token in the CLI.
  5. To test in the UI, select the okta_oidc tab on the login page, and enter okta_admin or okta_devs

Troubleshooting

1.

Error exchanging oidc code: "Provider.Exchange: id_token failed verification: Provider.VerifyIDToken: invalid id_token audiences: verifyAudiences: invalid id_token audiences: invalid audience".

This means the bound_audiences for the vault_jwt_auth_backend_role that Vault is trying are missing/invalid. Ensure the terraform created app client_id (not the client_id variable set) and api://vault are in the role, ie:

2.

        "bound_audiences": [
          "0oa4rr3i4dydl3pMf4x7",
          "api://vault"
        ],

3.

Vault login failed.
No code or id_token received.

This usually means the user trying to authenticate is not part of the vault-admins or vault-devs groups in Okta.

4.

error validating claims: claim "groups" is missing

Check for a mismatch in the Okta group name and the API -> Claims filter.

5.

error validating claims: claim "groups" does not match any associated bound claim values

Check the var.roles group names matches the okta_group.vault-* groups setup.

6.

If the UI is non-responsive, or dev tools shows a client token required, this can be from a mismatch of the URLs. Ensure the Okta and Terraform and Vault all have the same case for the Vault address.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

5 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages