Hashicorp Vault OIDC identity provider

[mofr93]

Hi,

Hashicorp vault OIDC provider issues an opaque access_token. They recommend we use the userinfo_endpoint for introspection, because the access_token itself cannot be parsed, therefore it is not working. Is there any plans to support verification of claims etc. from the userinfo_endpoint?

[sevensolutions]

Hi @mofr93
you mean the token is not a JWT token?

At the beginning of this plugin i was always using the introspection endpoint but removed it because it will be called for every single endpoint, which can slow everything down...

I have already used Vault but not as an OIDC Provider. I will have a closer look on the weekend.

[mofr93]

Hey @sevensolutions

Thanks for the reply.

Yes, the access_token is just an opaque token that is only used for calling the introspection endpoint in Vault, so no JWT. I see the problems with calling this endpoint everytime. Maybe it needs to have some sort of cache set up. I tried this other project that just verifies the id_token which works for me https://github.com/lukaszraczylo/traefikoidc

[sevensolutions]

I will close this as won't-fix, at least for now because i don't want to implement this in the near future.
I think not many are using Vault for this scenario.
If you think I'am wrong, please create a new issue with some details.