From d69545cdb527411c38fa62209ab7c2f6aff965e5 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 15 Jan 2026 02:18:50 -0300 Subject: [PATCH] vault: harden oidc claims type --- services/vault/scripts/vault_oidc_configure.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/vault/scripts/vault_oidc_configure.sh b/services/vault/scripts/vault_oidc_configure.sh index 4ee91b8..d417af2 100644 --- a/services/vault/scripts/vault_oidc_configure.sh +++ b/services/vault/scripts/vault_oidc_configure.sh @@ -45,6 +45,10 @@ groups_claim="${VAULT_OIDC_GROUPS_CLAIM:-groups}" redirect_uris="${VAULT_OIDC_REDIRECT_URIS:-https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback}" bound_audiences="${VAULT_OIDC_BOUND_AUDIENCES:-${VAULT_OIDC_CLIENT_ID}}" bound_claims_type="${VAULT_OIDC_BOUND_CLAIMS_TYPE:-string}" +bound_claims_type="$(printf '%s' "${bound_claims_type}" | tr -d '[:space:]')" +if [ -z "${bound_claims_type}" ]; then + bound_claims_type="string" +fi admin_group="${VAULT_OIDC_ADMIN_GROUP:-admin}" admin_policies="${VAULT_OIDC_ADMIN_POLICIES:-default,vault-admin}"