Skip to main content

forgerock

ForgeRock

  1. Navigate to Applications -> OAuth 2.0 -> Clients in ForgeRock Access Management.
  2. Create new client.
  3. Configure Client ID, Client Secret, Scopes and Redirection URIs.
  • client ID
  • client secret
  • allowed_redirect_uris should be the two redirect URIs for OpenBao CLI and UI access.
  • oidc_scopes should be set to the OIDC scopes.
  1. Save Client ID and Client Secret.

Configuration

  1. In OpenBao, enable the OIDC auth method.

  2. Configure the OIDC auth method with the oidc_client_id (client ID), oidc_client_secret (client secret), and oidc_discovery_url (endpoint URL) from ForgeRock.

    bao write auth/oidc/config \
       oidc_client_id="your_client_id" \
       oidc_client_secret="your_client_secret" \
       default_role="your_default_role" \
       oidc_discovery_url="https://openam.example.com:8443/openam/oauth2"

  3. Configure the OIDC Role with the following:

  • user_claim should be "sub".
  • allowed_redirect_uris should be the two redirect URIs for OpenBao CLI and UI access.
  • oidc_scopes should be set to the OIDC scopes.
bao write auth/oidc/role/your_default_role \
   user_claim="sub" \
   allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
   oidc_scopes="your_oidc_scopes" \
   policies=default