HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

tokens

Configure the identity tokens backend

This endpoint updates configurations for OIDC-compliant identity tokens issued by Vault.

MethodPath
POSTidentity/oidc/config

Parameters

  • issuer (string: "") – Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and an optional port number.

Sample payload

{
  "issuer": "https://example.com:1234"
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/config

Sample response

{
  "data": null,
  "warnings": [
    "If \"issuer\" is set explicitly, all tokens must be validated against that address, including those issued by secondary clusters. Setting issuer to \"\" will restore the default behavior of using the cluster's api_addr as the issuer."
  ]
}

Read configurations for the identity tokens backend

This endpoint queries vault identity tokens configurations.

MethodPath
GETidentity/oidc/config

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/config

Sample response

{
  "data": {
    "issuer": "https://example.com:1234"
  }
}

Create a named key

This endpoint creates or updates a named key which is used by a role to sign tokens.

MethodPath
POSTidentity/oidc/key/:name

Parameters

  • name (string) – Name of the named key.

  • rotation_period (int or time string: "24h") - How often to generate a new signing key. Uses duration format strings.

  • verification_ttl (int or time string: "24h") - Controls how long the public portion of a signing key will be available for verification after being rotated. Uses duration format strings.

  • allowed_client_ids (list: []) - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.

  • algorithm (string: "RS256") - Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.

Sample payload

{
  "rotation_period": "12h",
  "verification_ttl": 43200
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001

Read a named key

This endpoint queries a named key and returns its configurations.

MethodPath
GETidentity/oidc/key/:name

Parameters

  • name (string) – Name of the key.

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001

Sample response

{
  "data": {
    "algorithm": "RS256",
    "rotation_period": 43200,
    "verification_ttl": 43200
  }
}

Delete a named key

This endpoint deletes a named key.

MethodPath
DELETEidentity/oidc/key/:name

Parameters

  • name (string) – Name of the key.

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001

List named keys

This endpoint will List all named keys.

MethodPath
LISTidentity/oidc/key

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/oidc/key

Sample response

{
  "data": {
    "keys": ["named-key-001", "named-key-002"]
  }
}

Rotate a named key

This endpoint rotates a named key.

MethodPath
POSTidentity/oidc/key/:name/rotate

Parameters

  • name (string) – Name of the key to be rotated.

  • verification_ttl (string: <optional>) - Controls how long the public portion of the key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.

Sample payload

{
  "verification_ttl": 0
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001/rotate

Create or update a role

Create or update a role. ID tokens are generated against a role and signed against a named key.

MethodPath
POSTidentity/oidc/role/:name

Parameters

  • name (string) – Name of the role.

  • key (string) – A configured named key, the key must already exist.

  • template (string: <optional>) - The template string to use for generating tokens. This may be in string-ified JSON or base64 format.

  • client_id (string: <optional>) - Optional client ID. A random ID will be generated if left unset.

  • ttl (int or time string: "24h") - TTL of the tokens generated against the role. Uses duration format strings.

Sample payload

{
  "key": "named-key-001",
  "ttl": "12h"
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/role/role-001

Read a role

This endpoint queries a role and returs its configuration.

MethodPath
GETidentity/oidc/role/:name

Parameters

  • name (string) – Name of the role.

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/role/role-001

Sample response

{
  "data": {
    "client_id": "PGE8tf4RmJkDwvjI1FgARkXEmH",
    "key": "named-key-001",
    "template": "",
    "ttl": 43200
  }
}

Delete a role

This endpoint deletes a role.

MethodPath
DELETEidentity/oidc/role/:name

Parameters

  • name (string) – Name of the role.

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/oidc/role/role-001

List roles

This endpoint will list all signing keys.

MethodPath
LISTidentity/oidc/role

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/oidc/role

Sample response

{
  "data": {
    "keys": ["role-001", "role-002", "testrole"]
  }
}

Generate a signed ID token

Use this endpoint to generate a signed ID (OIDC) token.

MethodPath
GETidentity/oidc/token/:name

Parameters

  • name (string: "") – The name of the role against which to generate a signed ID token

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/token/role-001

Sample response

{
  "data": {
    "client_id": "P6CfCzyHsQY4pMcA6kWAOCItA7",
    "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJkMGI4YjlkLWYwNGQtNzFlYy1iNjc0LWM3MzU4NDMyYmM1YiJ9.eyJhdWQiOiJQNkNmQ3p5SHNRWTRwTWNBNmtXQU9DSXRBNyIsImV4cCI6MTU2MTQ4ODQxMiwiaWF0IjoxNTYxNDAyMDEyLCJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tOjEyMzQiLCJzdWIiOiI2YzY1ZWFmNy1kNGY0LTEzMzMtMDJiYy0xYzc1MjE5YzMxMDIifQ.IcbWTmks7P5eVtwmIBl5rL1B88MI55a9JJuYVLIlwE9aP_ilXpX5fE38CDm5PixDDVJb8TI2Q_FO4GMMH0ymHDO25ZvA917WcyHCSBGaQlgcS-WUL2fYTqFjSh-pezszaYBgPuGvH7hJjlTZO6g0LPCyUWat3zcRIjIQdXZum-OyhWAelQlveEL8sOG_ldyZ8v7fy7GXDxfJOK1kpw5AX9DXJKylbwZTBS8tLb-7edq8uZ0lNQyWy9VPEW_EEIZvGWy0AHua-Loa2l59GRRP8mPxuMYxH_c88x1lsSw0vH9E3rU8AXLyF3n4d40PASXEjZ-7dnIf4w4hf2P4L0xs_g",
    "ttl": 86400
  }
}

Introspect a signed ID token

This endpoint can verify the authenticity and active state of a signed ID token.

MethodPath
POSTidentity/oidc/introspect

Parameters

  • token (string) – A signed OIDC compliant ID token

  • client_id (string: <optional>) - Specifying the client ID additionally requires the token to contain a matching aud claim

Sample payload

{
  "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImE4NDQ4YmVkLTk4ZTMtMDNhMC01ODY4LTdmOWYyZDc5NWY2NSJ9.eyJhdWQiOiJpUDdyV1A4dmhDVFFpOTAydGhaR0hUazJMbyIsImV4cCI6MTU2MTQ4OTE0OSwiaWF0IjoxNTYxNDAyNzQ5LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEvaWRlbnRpdHkvb2lkYyIsInN1YiI6IjQ1NDQxZTg3LWMyMWQtYzY5NS0wNGM3LWU0YmU4MGU1M2Y0ZiJ9.IYZx1bBofBgwphLZggugFUE7V3ZLFDNr0UYv3hhc4RlIu5WgFZPRjpKVXPdORozYJJB_37aJW6qm5j8nNSz4WrWUmMcrVxoZi2VBExu-GcHHniEPRryR9t_45rqP2MycLBz0dICOjFDWvfkp6ddyCsQfkRnplPGCaN67MUEdgYQf5QNyxaG-yabRPiATY_OtXSjiNsMhJe6ZloYTZZc9gTTfKcKQf4mfy5yRY6471qkqeTuYNhKjwdkEnCSaEjHmCdZOYC5DAet16eQ7ankcwBno17_zs7vbPmkXNttALOrjSQgGe1td1SCfZeg5UOs7_IPk0qqdwOdyQ8wsrDmSyg"
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/introspect

Sample response

{
  "active": true
}

Read the OpenID configuration from an identity token issuer

Use the .well-known endpoint to retrieve an OpenID Provider Configuration Response with a set of claims about the identity token issuer.

MethodPath
GETidentity/oidc/.well-known/openid-configuration

Sample request

$ curl \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/openid-configuration

Sample response

{
  "issuer": "https://example.com/v1/identity/oidc",
  "jwks_uri": "https://example.com/v1/identity/oidc/.well-known/keys",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "EdDSA"
  ]
}

Read identity token issuer's public JWKS

Query identity/oidc/.well-known/keys to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.

Sample request

$ curl \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys

Sample response

{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "94178020-55b5-e18d-b32b-1010ba5a35b4",
      "alg": "RS256",
      "n": "1bt-V8T7g0zr7koNbdppFrUM5YrnybPDOt-cK3MKmL1FcN3aOltCw9tCYStHgm8mIz_DJ1HgIjA-DcK_O9gacEGFCidUuudV8O4TixToHEVyRe1yXu-Q98hwkm9JtFF9PvMzDXhn4s3bLanOZzO15JAdVCo0JnwSIT9Ay3LxPLbWHYbPj7ROScuvic99OyvWz87qBK-AoXmxo9lRNY39LtieMr1D2iq0HvtjHkfiarr34CSTcuksknOsY49BU5ktrs_YJSEVpeRQ8RywY1sWrq8w_UmGsNFfPr--crXQw0ekJCXzmotsRHE5jwMuhjuucVlnyQFBYEdfDB_iPbC7Hw",
      "e": "AQAB"
    }
  ]
}

Read plugin identity token issuer's OpenID configuration Enterprise

Use the .well-known endpoint to retrieve an OpenID Provider Configuration Response with a set of claims about the plugin identity token issuer.

MethodPath
GETidentity/oidc/plugins/.well-known/openid-configuration

Sample request

$ curl \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/plugins/.well-known/openid-configuration

Sample response

{
  "issuer": "https://example.com/v1/identity/oidc/plugins",
  "jwks_uri": "https://example.com/v1/identity/oidc/plugins/.well-known/keys",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "EdDSA"
  ]
}

Read the public JWKS from a plugin identity token issuer Enterprise

Query this path to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.

Sample request

$ curl \
    --request GET \
    http://127.0.0.1:8200/v1/identity/oidc/.well-known/keys

Sample response

{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "94178020-55b5-e18d-b32b-1010ba5a35b4",
      "alg": "RS256",
      "n": "1bt-V8T7g0zr7koNbdppFrUM5YrnybPDOt-cK3MKmL1FcN3aOltCw9tCYStHgm8mIz_DJ1HgIjA-DcK_O9gacEGFCidUuudV8O4TixToHEVyRe1yXu-Q98hwkm9JtFF9PvMzDXhn4s3bLanOZzO15JAdVCo0JnwSIT9Ay3LxPLbWHYbPj7ROScuvic99OyvWz87qBK-AoXmxo9lRNY39LtieMr1D2iq0HvtjHkfiarr34CSTcuksknOsY49BU5ktrs_YJSEVpeRQ8RywY1sWrq8w_UmGsNFfPr--crXQw0ekJCXzmotsRHE5jwMuhjuucVlnyQFBYEdfDB_iPbC7Hw",
      "e": "AQAB"
    }
  ]
}