From 8d526e383f7e51778b079911db0e519f464a46b9 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 14 Jan 2026 03:45:03 -0300 Subject: [PATCH] vault: send oidc role payload as json --- .../vault/scripts/vault_oidc_configure.sh | 55 +++++++++++++------ 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/services/vault/scripts/vault_oidc_configure.sh b/services/vault/scripts/vault_oidc_configure.sh index 3d14e52..99f5fd6 100644 --- a/services/vault/scripts/vault_oidc_configure.sh +++ b/services/vault/scripts/vault_oidc_configure.sh @@ -75,6 +75,28 @@ build_bound_claims() { printf '%s' "${json}" } +build_json_array() { + items="$1" + json="[" + first=1 + old_ifs=$IFS + IFS=, + for item in $items; do + item="$(printf '%s' "$item" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')" + if [ -z "${item}" ]; then + continue + fi + if [ "${first}" -eq 0 ]; then + json="${json}," + fi + json="${json}\"${item}\"" + first=0 + done + IFS=$old_ifs + json="${json}]" + printf '%s' "${json}" +} + configure_role() { role_name="$1" role_groups="$2" @@ -84,25 +106,24 @@ configure_role() { return fi claims="$(build_bound_claims "${groups_claim}" "${role_groups}")" - claims_file="$(mktemp)" - printf '%s' "${claims}" > "${claims_file}" scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')" - role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=@${claims_file} bound_claims_type=${bound_claims_type}" - if [ -n "${groups_claim}" ]; then - role_args="${role_args} groups_claim=${groups_claim}" - fi - old_ifs=$IFS - IFS=, - for uri in $redirect_uris; do - trimmed="$(printf '%s' "$uri" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')" - if [ -n "${trimmed}" ]; then - role_args="${role_args} allowed_redirect_uris=${trimmed}" - fi - done - IFS=$old_ifs + redirect_json="$(build_json_array "${redirect_uris}")" + payload_file="$(mktemp)" + cat > "${payload_file}" <