mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-23 19:51:09 +01:00
Code Issues Projects Releases Wiki Activity

auth/oidc: add extra context about claim names in doc (#16987)

Browse Source
This commit is contained in:
Jason O'Donnell 2022-09-01 18:30:50 -04:00 committed by GitHub
parent 7b98e2e30f
commit c60394062d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
website/content/docs/auth/jwt/oidc-providers/azuread.mdx
View File

@ -95,8 +95,24 @@ You should set up a [Vault policy](https://learn.hashicorp.com/tutorials/vault/p
### Optional Azure-specific Configuration
If a user is a member of more than 200 groups (directly or indirectly), extra configuration
is required so that Vault can fetch the groups properly.
If a user is a member of more than 200 groups (directly or indirectly), Azure will
send `_claim_names` and `_claim_sources`. For example, returned claims might look like:
```json
{
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://graph.windows.net...."
}
}
}
```
The OIDC auth method role can be configured to include the user ID in the endpoint URL,
which will be used by Vault to retrieve the groups for the user:
- In Azure, under the applications **API Permissions**, grant the following permissions:
- Microsoft Graph API permission [Directory.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-19)