coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Request groups scope for whynot OIDC role

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-28 13:23:14 +02:00
parent adf865611c
commit 3527bc1cae
7 changed files with 74 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/whynot-design-npm-publish-handoff.md
View File

@@ -98,7 +98,14 @@ Role payload:
"role_type": "oidc",
"allowed_redirect_uris": [
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
"http://localhost:8250/oidc/callback"
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback"
],
"oidc_scopes": [
"openid",
"profile",
"email",
"groups"
],
"user_claim": "sub",
"groups_claim": "groups",
@@ -119,7 +126,14 @@ cat >"$role_payload_file" <<'JSON'
{
"allowed_redirect_uris": [
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
"http://localhost:8250/oidc/callback"
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback"
],
"oidc_scopes": [
"openid",
"profile",
"email",
"groups"
],
"bound_claims": {
"groups": [
@@ -192,7 +206,7 @@ Only after these are true:
- secret metadata confirmed;
- policy exists and is scoped to the corrected `coulomb/whynot-design` path;
- OIDC role exists and binds only `groups=["whynot-design"]` with approved
browser and local CLI callback URIs;
browser/local CLI callback URIs and `groups` OIDC scope;
- positive verification passed;
- negative verification passed;

17
docs/workload-kv-access-lanes.md
View File

@@ -35,7 +35,7 @@ Ops-warden batch follow-up:
| Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
| OIDC auth mount | `netkingdom` |
| OIDC role | `whynot-design-workload-kv-read` |
| OIDC callback URIs | `https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback`, `http://localhost:8250/oidc/callback` |
| OIDC callback URIs | `https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback`, `http://localhost:8250/oidc/callback`, `http://127.0.0.1:8250/oidc/callback` |
| Kubernetes auth role | `whynot-design-workload-kv-read` if an in-cluster service account consumes this lane |
| flex-auth ref | `secret.read:whynot-design` if tenant policy requires pre-approval |
@@ -116,6 +116,17 @@ OpenBao:
```text
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
http://localhost:8250/oidc/callback
http://127.0.0.1:8250/oidc/callback
```
The role must request these OIDC scopes so KeyCape emits the group claim OpenBao
checks:
```text
openid
profile
email
groups
```
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
@@ -180,7 +191,9 @@ warden access "npm token" \
```
Use `--no-policy` only while the local ops-warden config reports
`policy.enabled=false`; remove it once the flex-auth gate is enforced.
`policy.enabled=false`; remove it once the flex-auth gate is enforced. If login
fails with `groups claim not found`, the OpenBao role is missing the `groups`
OIDC scope and must be corrected before retrying.
Negative verification: