Configure JWT authentication
Overview
Vault can authenticate users using JWT access tokens generated by an external identity provider. When Vault receives a JWT access token, it verifies the token's signature and validates the claims in the token. If the token is valid, Vault uses the roles claim in the token to choose the roles of the user.
The JWT access token is validated for each request to determine that:
- It is active (not expired).
- These claims match the setting in the IAM configuration:
issaud
- The
rolesclaim contains only one role and that role exists in the IAM configuration. - It is signed using the public key set in the IAM configuration.
Configuration
The following configuration options are available for JWT authentication
| Option | Description |
|---|---|
iss | The issuer of the JWT access token. If the JWT token does not match this value, Vault fails the authentication. |
aud | The audience of the JWT access token. If the JWT token does not match this value, Vault fails the authentication. |
roles_claim | The claim in the JWT access token that contains the roles of the user. If the JWT token does not contain this claim, Vault fails the authentication. If not set, defaults to roles. |
keys | The public key of the key-pair used to sign the JWT access token, in JWKS format. Must be used if jwks_uri is not used. |
jwks_uri | The URL of the JWKS endpoint that contains the public key in JWT format. Usually will be in the following format: https://<identity-privoder/.well-known/jwks.json. Must be used if keys is not used. |
bound_claims | Extra claims validation. See section below for more details. |
Using jwks_uri requires Vault to have outbound access to the JWKS endpoint. The response will be cached for 24 hours, unless configured differently by the HTTP response from the endpoint.
Bound claims
If an extra claims validation is required, you can use the bound_claims configuration. After successful validation of the JWT access token, Vault compares the bound claims with the claims in the JWT access token. If any of the bound claims are not present in the JWT access token, or doesn't match, the authentication fails.
The bound claims configuration is a map of strings to strings or arrays of strings. The keys are the names of the claims, and the values are the expected values of the claims. If the value is an array, the claim must match one of the values in the array.
Example configuration:
[idps]
[idps.app1]
type = "direct-jwt"
[idps.app1.conf]
iss = "https://jwt.io/"
aud = "vault1"
# Change the value of "keys" to the JWK key.
keys = ...
[idps.app1.conf.bound_claims]
group = "my-group"
tenant_id = ["tenant-1", "tenant-2"]
Learn how to configure JWT authentication
You can configure Vault to authenticate users using JWT access tokens generated by an external identity provider. This guide shows you how to configure Vault to authenticate users using JWT access tokens.
Prerequisites
You should know the following information about the JWT access token:
- The issuer (
iss). - The audience (
aud). - The public key of the key-pair used to sign it.
For this guide, you use jwt.io to generate a JWT access token for testing purposes. For production, you should use an identity provider such as Auth0, Azure AD, etc.
Walkthrough
For this guide, use the following values for the JWT access token:
- The issuer (
iss) of the JWT access token ishttps://jwt.io/ - The audience (
aud) of the JWT access token isvault1
You generate a key-pair using the following command:
openssl genrsa -out pvault_jwt_private_key.pem 2048
openssl rsa -pubout -in pvault_jwt_private_key.pem -out pvault_jwt_public_key.pem
And turn it into JWT format using a JWK Creator. Identity providers such as Auth0 provide you with a URL to a JWKS endpoint that contains the public key in JWT format.
Vault also supports the use of a JWKS endpoint to fetch the public key, using the jwks_uri option in the IAM configuration.
- In the IAM configuration file, edit the section defining the IdPs, such as
[idps.app1], like this:
[idps]
[idps.app1]
type = "direct-jwt"
[idps.app1.conf]
iss = "https://jwt.io/"
aud = "vault1"
# Change the value of "keys" to the JWK key.
keys = "{\"kty\": \"RSA\",\"n\": \"o54d-ACKhVI8-sEX57zGyzpf83cISFNBT1HqY78eQP0bKzX6q5RGAtZS4FixzivS76Gv830sTb50d_qjtgCw8XWjnvPj0sTuYOT4D3wNlInziEaSVwsGQ7zf5BPAHs0sLb5skBRB_YFbcIEhe3uK35vLpz-JqRjoRUdhOJe63gWxx4kcQQRQw9760Zoywkf1YPU3S1klViGoNMelkuYP35Djk1qGM2ELhGXSlaON_1KpfvGNKyNfBZGj4SSJJcIOHcjYEQV0Y8UTUe-AWcz3GKesnulqhaKL7VHjXMlHfdy-j1HBa1PCWMHDWBBsv_OCrY-BSfE7KgTd89UTiTr0lQ\",\"e\": \"AQAB\",\"alg\": \"RS256\",\"kid\": \"abc\",\"use\": \"sig\"}"
# roles_claim = "roles" # optional, defaults to "roles". To be used if the IDP uses a different claim name for roles.
-
Apply the IAM configuration to Vault.
-
Generate a JWT access token on jwt.io. The headers section should look like this:
{
"alg": "RS256",
"typ": "JWT",
"kid": "abc"
}
The payload section should look like this:
{
"iss": "https://jwt.io/",
"aud": "vault1",
"sub": "our-jwt-user",
"exp": 1797026866, // Set an expiration time in the future.
"roles": ["VaultAdmin"]
}
- Use the JWT access token to authenticate to Vault:
pvault --authtoken <jwt-token> version
IDPs
Auth0
Basically follow the steps in the Walkthrough section, but notice that by default an access token generated by Auth0 does not contain the roles claim. You need to add an login flow Action to your Auth0 tenant to add an equivalent claim to the access token:
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
api.accessToken.setCustomClaim("my-roles", event.authorization.roles);
}
}
Notice how the claim name is not roles, but my-roles. This is because roles is a restricted claim on Auth0 platform. Vault's IAM configuration should be changed accordingly, by setting the roles_claim option to my-roles:
[idps]
[idps.app1]
type = "direct-jwt"
[idps.app1.conf]
iss = "https://<tenant-id>.<region>.auth0.com/" # Set by Auth0 and can be seen in the "Application" settings.
aud = "my-app" # Configured by your application.
roles_claim = "my-roles" # Configured by the login flow Action.
jwks_uri = "https://<tenant-id>.<region>.auth0.com/.well-known/jwks.json" # Set by Auth0 and can be seen in the "Application" settings, under "Advanced Settings" -> "Endpoints".