@@ -96,13 +96,13 @@ if [ -n "$OIDC_DISCOVERY_URL" ] && [ -n "$OIDC_CLIENT_ID" ] && [ -n "$OIDC_CLIEN
9696 vault auth enable oidc
9797 fi
9898
99- # Configure OIDC with correct discovery URL format
99+ # Configure OIDC with correct discovery URL format and dynamic as default role
100100 echo " [+] Configuring OIDC settings..."
101101 vault write auth/oidc/config \
102102 oidc_discovery_url=" ${OIDC_DISCOVERY_URL} /application/o/${OIDC_APP_SLUG} /"
103103 oidc_client_id=" $OIDC_CLIENT_ID "
104104 oidc_client_secret=" $OIDC_CLIENT_SECRET "
105- default_role=" reader "
105+ default_role=" dynamic "
106106
107107 # Create reader policy dynamically
108108 echo " [+] Creating reader policy..."
@@ -134,6 +134,19 @@ path "*" {
134134# }
135135EOF
136136
137+ # Create OIDC dynamic role (group-based policies only)
138+ echo " [+] Creating OIDC dynamic role..."
139+ vault write auth/oidc/role/dynamic \
140+ bound_audiences=" $OIDC_CLIENT_ID "
141+ allowed_redirect_uris=" https://vault.local.ildoc.it/ui/vault/auth/oidc/oidc/callback"
142+ allowed_redirect_uris=" https://vault.local.ildoc.it/oidc/callback"
143+ allowed_redirect_uris=" http://localhost:8250/oidc/callback"
144+ user_claim=" sub"
145+ policies=" default"
146+ groups_claim=" groups"
147+ oidc_scopes=" openid,profile,email"
148+ ttl=" 8h"
149+
137150 # Create OIDC reader role with all required redirect URIs
138151 echo " [+] Creating OIDC reader role..."
139152 vault write auth/oidc/role/reader \
@@ -194,33 +207,27 @@ EOF
194207
195208 # Create group alias for vault-admins
196209 echo " [+] Creating group alias for 'vault-admins'..."
210+ ALIAS_EXISTS=false
197211 if vault list identity/group-alias/id 2> /dev/null | grep -q . ; then
198212 # Check if alias already exists
199- EXISTING_ALIAS=$( vault list -format=json identity/group-alias/id 2> /dev/null | jq -r ' .[]' | while read alias_id; do
200- ALIAS_INFO=$( vault read -format=json " identity/group-alias/id/$alias_id " )
201- ALIAS_NAME=$( echo " $ALIAS_INFO " | jq -r ' .data.name' )
202- ALIAS_CANONICAL=$( echo " $ALIAS_INFO " | jq -r ' .data.canonical_id' )
203- if [ " $ALIAS_NAME " = " vault-admins" && [ " $ALIAS_CANONICAL " = " $ADMINS_GROUP_ID " ; then
204- echo " $alias_id "
213+ for alias_id in $( vault list -format=json identity/group-alias/id 2> /dev/null | jq -r ' .[]' ) ; do
214+ ALIAS_INFO=$( vault read -format=json " identity/group-alias/id/$alias_id " 2> /dev/null || echo " {}" )
215+ ALIAS_NAME=$( echo " $ALIAS_INFO " | jq -r ' .data.name // empty' )
216+ ALIAS_MOUNT=$( echo " $ALIAS_INFO " | jq -r ' .data.mount_accessor // empty' )
217+ if [ " $ALIAS_NAME " = " vault-admins" && [ " $ALIAS_MOUNT " = " $OIDC_ACCESSOR " ; then
218+ ALIAS_EXISTS=true
219+ echo " [+] Group alias for 'vault-admins' already exists"
205220 break
206221 fi
207- done)
208-
209- if [ -n " $EXISTING_ALIAS " ; then
210- echo " [+] Group alias for 'vault-admins' already exists"
211- else
212- vault write identity/group-alias \
213- name=" vault-admins"
214- mount_accessor=" $OIDC_ACCESSOR "
215- canonical_id=" $ADMINS_GROUP_ID "
216- echo " [+] Created group alias for 'vault-admins'"
217- fi
218- else
222+ done
223+ fi
224+
225+ if [ " $ALIAS_EXISTS " = " false" ; then
219226 vault write identity/group-alias \
220227 name=" vault-admins"
221228 mount_accessor=" $OIDC_ACCESSOR "
222- canonical_id=" $ADMINS_GROUP_ID "
223- echo " [+] Created group alias for 'vault-admins'"
229+ canonical_id=" $ADMINS_GROUP_ID " 2> /dev/null || echo " [!] Group alias for 'vault-admins' already exists (error ignored) "
230+ echo " [+] Group alias for 'vault-admins' configured "
224231 fi
225232
226233 # Create external group for vault-readers
@@ -252,33 +259,27 @@ EOF
252259
253260 # Create group alias for vault-readers
254261 echo " [+] Creating group alias for 'vault-readers'..."
262+ ALIAS_EXISTS=false
255263 if vault list identity/group-alias/id 2> /dev/null | grep -q . ; then
256264 # Check if alias already exists
257- EXISTING_ALIAS=$( vault list -format=json identity/group-alias/id 2> /dev/null | jq -r ' .[]' | while read alias_id; do
258- ALIAS_INFO=$( vault read -format=json " identity/group-alias/id/$alias_id " )
259- ALIAS_NAME=$( echo " $ALIAS_INFO " | jq -r ' .data.name' )
260- ALIAS_CANONICAL=$( echo " $ALIAS_INFO " | jq -r ' .data.canonical_id' )
261- if [ " $ALIAS_NAME " = " vault-readers" && [ " $ALIAS_CANONICAL " = " $READERS_GROUP_ID " ; then
262- echo " $alias_id "
265+ for alias_id in $( vault list -format=json identity/group-alias/id 2> /dev/null | jq -r ' .[]' ) ; do
266+ ALIAS_INFO=$( vault read -format=json " identity/group-alias/id/$alias_id " 2> /dev/null || echo " {}" )
267+ ALIAS_NAME=$( echo " $ALIAS_INFO " | jq -r ' .data.name // empty' )
268+ ALIAS_MOUNT=$( echo " $ALIAS_INFO " | jq -r ' .data.mount_accessor // empty' )
269+ if [ " $ALIAS_NAME " = " vault-readers" && [ " $ALIAS_MOUNT " = " $OIDC_ACCESSOR " ; then
270+ ALIAS_EXISTS=true
271+ echo " [+] Group alias for 'vault-readers' already exists"
263272 break
264273 fi
265- done)
266-
267- if [ -n " $EXISTING_ALIAS " ; then
268- echo " [+] Group alias for 'vault-readers' already exists"
269- else
270- vault write identity/group-alias \
271- name=" vault-readers"
272- mount_accessor=" $OIDC_ACCESSOR "
273- canonical_id=" $READERS_GROUP_ID "
274- echo " [+] Created group alias for 'vault-readers'"
275- fi
276- else
274+ done
275+ fi
276+
277+ if [ " $ALIAS_EXISTS " = " false" ; then
277278 vault write identity/group-alias \
278279 name=" vault-readers"
279280 mount_accessor=" $OIDC_ACCESSOR "
280- canonical_id=" $READERS_GROUP_ID "
281- echo " [+] Created group alias for 'vault-readers'"
281+ canonical_id=" $READERS_GROUP_ID " 2> /dev/null || echo " [!] Group alias for 'vault-readers' already exists (error ignored) "
282+ echo " [+] Group alias for 'vault-readers' configured "
282283 fi
283284
284285 echo " "
289290 echo " vault-admins Group ID: $ADMINS_GROUP_ID "
290291 echo " vault-readers Group ID: $READERS_GROUP_ID "
291292 echo " "
293+ echo " === ROLES CONFIGURED ==="
294+ echo " - dynamic (default): Uses only group-based policies from Authentik"
295+ echo " - reader: Hardcoded reader policy (for backward compatibility)"
296+ echo " - admin: Hardcoded admin policy (for backward compatibility)"
297+ echo " "
292298 echo " === NEXT STEPS IN AUTHENTIK ==="
293299 echo " 1. Go to your Vault provider in Authentik (https://auth.ildoc.it)"
294300 echo " 2. Verify these STRICT Redirect URIs are configured:"
306312 echo " 5. Add your user to the 'vault-admins' group"
307313 echo " "
308314 echo " === TESTING ==="
309- echo " Test login with: vault login -method=oidc role=\" reader\" "
315+ echo " Test login with: vault login -method=oidc"
316+ echo " (will use 'dynamic' role by default - policies from your groups)"
317+ echo " "
318+ echo " Or specify a role explicitly:"
319+ echo " vault login -method=oidc role=reader"
320+ echo " vault login -method=oidc role=admin"
310321 echo " "
311322 echo " After login, verify your groups with:"
312323 echo " vault token lookup | grep policies"
0 commit comments