Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a configuration option
oauth2_metadata
which is a list of token types that can be returned in metadata. The list can be any ofaccess_token
,id_token
, andrefresh_token
, and when selected they are returned in metadata namesoauth2_access_token
,oauth2_id_token
, andoauth2_refresh_token
, respectively.This option makes it possible for a user to authenticate with bao once and also use the tokens directly from the oauth2 issuer for another purpose. For example, with some help from a client application to store the refresh token back into a vault secrets plugin like the Puppet labs oauthapp plugin, from then on access tokens can be read from the secrets plugin and renewed when they expire.
The new option simply puts the selected tokens into the returned metadata in a similarly to the way that the
claims_mapping
option returns things in metadata.This PR was proposed for vault several years ago in hashicorp/vault-plugin-auth-jwt#119 but has been sitting unmerged since then. It is an essential component of the https://github.com/fermitools/htvault-config package and has been in production use for a couple of years.