Skip to main content

Auth methods

Auth methods are the components in OpenBao that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, OpenBao will enforce authentication as part of the request processing. In most cases, OpenBao will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Kubernetes).

Having multiple auth methods enables you to use an auth method that makes the most sense for your use case of OpenBao and your organization.

For example, on developer machines, the Userpass is easiest to use. But for servers the AppRole method is the recommended choice.

To learn more about authentication, see the authentication concepts page.

Enabling/Disabling auth methods

Auth methods can be enabled/disabled using the CLI or the API.

$ bao auth enable userpass

When enabled, auth methods are similar to secrets engines: they are mounted within the OpenBao mount table and can be accessed and configured using the standard read/write API. All auth methods are mounted underneath the auth/ prefix.

By default, auth methods are mounted to auth/<type>. For example, if you enable "ldap", then you can interact with it at auth/ldap. However, this path is customizable, allowing users with advanced use cases to mount a single auth method multiple times.

$ bao auth enable -path=my-login userpass

When an auth method is disabled, all users authenticated via that method are automatically logged out.

External auth method considerations

When using an external auth method (e.g., Kubernetes), OpenBao will call the external service at the time of authentication and for subsequent token renewals. If the status of an entity changes in the external system (e.g., an account expires or is disabled), OpenBao denies requests to renew tokens associated with the entity. However, any existing token remain valid for the original grant period unless they are explicitly revoked within OpenBao. Operators should set appropriate token TTLs when using external authN methods.