identity/oidc: Adds default provider, key, and allow_all assignment

[austingebauer]

Overview

This PR introduces default resources that seek to decrease the amount of steps it takes to get Vault's OIDC provider configured for simple use cases. With this change, a user can simply configure a Vault auth method + OIDC client and successfully use Vault as an identity provider. The introduction of these resources is not limiting and will still allow users to create more advanced configurations.

Default OIDC Provider

A default OIDC provider will be created per namespace. It will have a minimal configuration that allows all clients to authenticate using it. Users won't be able to delete it, but they'll be able to modify it.

Default Key

A default key will be created per namespace. The key parameter on OIDC clients will be optional and use the key by default. Users won't be able to delete it, but they'll be able to modify it.

Allow All Assignment

An allow_all assignment will be created per namespace. This assignment can be associated with a client to allow all Vault entities/groups to authenticate using the client. The assignment parameter will not use this by default, so it's an explicit decision of the user to allow all entities/groups. Users won't be able to modify or delete this assignment.

Testing

I've manually tested using these resources with Waypoint as an OIDC client.

Example of simplified usage with Vault and Waypoint:

# Run Vault and Waypoint

# Configure a Vault auth method
vault auth enable userpass
vault write auth/userpass/users/end-user password="password"

# Create an OIDC client that uses the default key and allow_all assignment
vault write identity/oidc/client/waypoint \
    redirect_uris="https://localhost:9702/auth/oidc-callback" \
    assignments="allow_all"

# Configure Waypoint OIDC auth method to use the default provider
waypoint auth-method set oidc \
  -issuer=$(curl -s http://localhost:8200/v1/identity/oidc/provider/default/.well-known/openid-configuration | jq -r .issuer) \
  -client-id=$(vault read -field=client_id identity/oidc/client/waypoint) \
  -client-secret=$(vault read -field=client_secret identity/oidc/client/waypoint) \
  -allowed-redirect-uri="https://localhost:9702/auth/oidc-callback" \
  vault

# Authenticate using OIDC in Waypoint UI
open https://localhost:9702/auth

[fairclothjm]

LGTM, although I can't help with the perf standby question

[calvn]

How would default resources creation work for namespaces on the enterprise side if these are per-namespace? For instance, how would these resources be created when a new namespace is created?

[austingebauer]

@calvn - See b06e18d where I moved the call to storeOIDCDefaultResources() into the IdentityStore InitializeFunc. I think this is the right approach. You can see that there is already code there that's writing to storage similar to what's being introduced here. There was no workable approach for supporting namespaces when calling it from loadIdentityStoreArtifacts().

This allows us to write these default resources once per namespace creation. It will require a one line change in Vault enterprise. I tested that it works as expected using namespaces. Also see that the same protection for perf standbys/secondaries is already present in the new location: identity_store.go#L489-L493.

[calvn]

Looks good, thanks for making the adjustments to make namespaces work!