From aa461b95bc0a52cb2a7dff547af2f93807494676 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 15 Jun 2026 21:42:30 +0000 Subject: [PATCH] feat(authentik): bind Vault OIDC app to Allow Login Users (close ADR-0020 OIDC gap) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Audit found the Vault Authentik application had no authorization binding, so any authenticated identity (incl. a future self-enrolled TripIt External user) could complete Vault OIDC login and get a built-in default-policy token. Bind it to 'Allow Login Users' — existing homelab users inherit that group via its children (verified User.all_groups() includes the parent), parentless TripIt External users are excluded. Closes the only OIDC app the forward-auth fence does not cover. Co-Authored-By: Claude Opus 4.8 --- stacks/authentik/vault-authz-binding.tf | 28 +++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 stacks/authentik/vault-authz-binding.tf diff --git a/stacks/authentik/vault-authz-binding.tf b/stacks/authentik/vault-authz-binding.tf new file mode 100644 index 00000000..33c0af6d --- /dev/null +++ b/stacks/authentik/vault-authz-binding.tf @@ -0,0 +1,28 @@ +# Vault OIDC authorization fence (ADR-0020). The "Vault" Authentik application had +# NO authorization binding (audit 2026-06-15: any authenticated identity could +# complete Vault OIDC login and receive Vault's built-in `default`-policy token — +# token self-management/cubbyhole, no secret access, but still more than an +# outside user should hold). Bind it to "Allow Login Users" so only established +# homelab users can log in: they inherit that base group via its children +# (Home Server Admins / Headscale Users / Wrongmove Users — verified live that +# `User.all_groups()` includes the parent), while publicly self-enrolled +# "TripIt External" users (deliberately PARENTLESS, so NOT in Allow Login Users) +# are denied at the Vault consent step. Closes the one OIDC app the forward-auth +# fence cannot reach; the other sensitive OIDC apps already bind a trusted group. +# +# The Vault application itself stays UI-managed (like the other OIDC apps); this +# adds ONLY the authorization binding. policy_engine_mode on the app is "any", so +# one group binding == membership in that group is required to authorize. +data "authentik_application" "vault" { + slug = "vault" +} + +data "authentik_group" "allow_login_users" { + name = "Allow Login Users" +} + +resource "authentik_policy_binding" "vault_allow_login_users" { + target = data.authentik_application.vault.uuid + group = data.authentik_group.allow_login_users.id + order = 0 +}