Fixes bound_claims validation for provider-specific group and user info fetching

[austingebauer]

Overview

This PR fixes #138 by validating the bound_claims of a role after the provider-specific group and user info fetching. This allows usage of bound_claims for validation against additional group membership and user information on a role.

Testing

I've added an automated test which ensures that groups and user info claims can be validated using bound_claims.

Additionally, I've manually tested that bound_claims validation works against a G Suite account with both groups and user custom schema data.

See test output below with comments explaining the expected results:

$ vault auth enable oidc
Success! Enabled oidc auth method at: oidc/

$ vault write auth/oidc/config -<<EOF
{
    "oidc_discovery_url": "https://accounts.google.com",
    "oidc_client_id": "redacted",
    "oidc_client_secret": "redacted",
    "default_role": "demo",
    "provider_config": {
        "provider": "gsuite",
        "gsuite_service_account": "/Users/austingebauer/.gcp/gsuite-demo-service-account.json",
        "gsuite_admin_impersonate": "[email protected]",
        "fetch_groups": true,
        "fetch_user_info": true,
        "groups_recurse_max_depth": 5,
        "user_custom_schemas": "Education,Preferences"
    }
}
EOF
Success! Data written to: auth/oidc/config

# Note: shirt_size bound claim will cause an expected error when validating claims
$ vault write auth/oidc/role/demo -<<EOF
{
    "allowed_redirect_uris": "http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback",
    "claim_mappings": [
        "/Education/graduation_date=graduation_date",
        "/Preferences/shirt_size=shirt_size"
    ],
    "groups_claim": "groups",
    "oidc_scopes": "email",
    "user_claim": "email",
    "bound_claims": {
        "groups": ["[email protected]", "[email protected]"],
        "/Preferences/shirt_size": "invalid"
    }
}
EOF

$ vault login -method=oidc role=demo
...
* error validating claims: claim "/Preferences/shirt_size" does not match any associated bound claim values

# Note: groups bound claim will cause an expected error when validating claims
$ vault write auth/oidc/role/demo -<<EOF
{
    "allowed_redirect_uris": "http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback",
    "claim_mappings": [
        "/Education/graduation_date=graduation_date",
        "/Preferences/shirt_size=shirt_size"
    ],
    "groups_claim": "groups",
    "oidc_scopes": "email",
    "user_claim": "email",
    "bound_claims": {
        "groups": ["[email protected]"],
        "/Preferences/shirt_size": "medium"
    }
}
EOF

$ vault login -method=oidc role=demo
...
* error validating claims: claim "groups" does not match any associated bound claim values

# Note: bound claims are valid in this case, so no error is expected
$ vault write auth/oidc/role/demo -<<EOF
{
    "allowed_redirect_uris": "http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback",
    "claim_mappings": [
        "/Education/graduation_date=graduation_date",
        "/Preferences/shirt_size=shirt_size"
    ],
    "groups_claim": "groups",
    "oidc_scopes": "email",
    "user_claim": "email",
    "bound_claims": {
        "groups": ["[email protected]", "[email protected]"],
        "/Preferences/shirt_size": "medium"
    }
}
EOF

$ vault login -method=oidc role=demo
...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Related Issues/Pull Requests

• oidc: gsuite custom provider groups cannot use bound claims #138
• oidc: use claim_mappings for bound_claims #147

Contributor Checklist

• Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
• Backwards compatible

[tvoran]

I also tried this on azure and it worked with and without bound_claims groups. 👍