-
Notifications
You must be signed in to change notification settings - Fork 11
Conversation
@impl I have a question on this, and for that matter any kind of flow that requests a refresh token through this plugin. Since this is only a secrets plugin, after going through any oauth flow to get a refresh token do you also get a vault token? Or is a vault token with access to a secrets path already required to be obtained some other way? The way I have been doing things is using the Hashicorp jwt/oidc auth plugin to get a vault token and refresh token together, and then storing the refresh token in this secrets plugin. |
The way we use it, we already have access to this engine set up in advance using policies on an existing role. I actually don't think it's possible for a secrets engine to return a Vault token -- it doesn't have access to those Vault APIs. We mainly use this plugin to manage credentials on behalf of our users, so our public-facing interfaces never store a refresh token or even OAuth client secret. I.e., we can grab a token in our application, use it in the scope of a single request to perform some work on a user's behalf, and discard it. |
4ffe2eb
to
edf2848
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! One we get the tests pushed up I'll sign-off and we can get this merged.
Fixes #36