Vault: OAuth2 token refreshing as a secret backend

Created on 29 Apr 2015  路  3Comments  路  Source: hashicorp/vault

To make an OAuth2 request we need an access token. Access token has a TTL, so once it is expired we need to get a new one using a refresh token. Instead of refreshing the access tokens directly it would be better if Vault would do it. This way the app itself does not need to know anything about the Oauth2 refresh tokens, application ids or application secrets, it could just fetch an access token from Vault and not care about the details. If the app can only access the expiring access token, then it would be also a lot securer than knowing also the non-expiring refresh token.

picture andris9

Most helpful comment

If anyone happens to stumble across this issue looking for a solution, we implemented this as a plugin: https://github.com/puppetlabs/vault-plugin-secrets-oauthapp

Feel free to give it a try and you're welcome to file GitHub issues if you run into any problems!

picture impl on 26 Sep 2019
2 👍1

All 3 comments

Any idea on the status of this request?

kunickiaj picture kunickiaj on 9 Jun 2016

We have no current plans for a built-in backend to do this, but with our plugin capabilities this can now be easily created by an interested third-party!

jefferai picture jefferai on 14 Mar 2018

If anyone happens to stumble across this issue looking for a solution, we implemented this as a plugin: https://github.com/puppetlabs/vault-plugin-secrets-oauthapp

Feel free to give it a try and you're welcome to file GitHub issues if you run into any problems!

impl picture impl on 26 Sep 2019
2 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

narayan8291 picture narayan8291  路  3Comments
anthonyGuo picture anthonyGuo  路  3Comments
0x9090 picture 0x9090  路  3Comments
jasonmcintosh picture jasonmcintosh  路  3Comments
pbolle picture pbolle  路  3Comments