Support for Oauth Access Tokens

Question

Support for Oauth Access Tokens

mdgreenfield opened this issue 4 years ago · 5 comments

Requesting a new token endpoint for retrieving access tokens.

Similar to vault-plugin-secrets-gcp, requests to create a Vault role would create the Azure App/ServicePrincipal, store the corresponding client credentials in the plugin's internal storage, and use those same client credentials to generate an oauth access token when a user calls azure/token/:role

By supporting this and allowing Azure API callers to use oauth tokens for authentication we can sidestep the client credentials global replication delay issue brought up in #23. This is because typically the Azure role is created ahead of time in an out-of-band process (either manual or automated) thereby giving client credentials time to replicate globally before a user calls the azure/token/:role endpoint.

Answer 1 · 2023-05-05T18:47:33.000Z

Thank you for submitting this request! For others who are interested in this, please stick a 👍 on this issue. We’re currently developing an internal process to review and prioritize feature requests.

Answer 2 · 2023-05-05T19:23:31.000Z

Thanks @fairclothjm, I just opened a PR that implements this (I'm not sure why I didn't do that a while back). The PR will certainly need to be rebased and documentation added at a minimum. I'll be away from the computer next week but potentially could look into some of these things the following week.

Answer 3 · 2023-05-05T20:59:19.000Z

@mdgreenfield That's great, thanks! Feel free to ping me on this issue when you get it updated!

Answer 4 · 2023-06-21T15:29:34.000Z

Hi @fairclothjm, I could use some feedback/thoughts on #147 (comment) if you all get some time.