Passwordless

The Dockerfile placed in the repository can be used to create an image with a ready to use Vault system, including the passkey plugin. If desired, the Dockerfile can be changed to run Vault in development mode, using the comments.

To build the image, a GitHub token with access to enclaive's repositories has to be provided:

docker build -t example/vault --build-arg git_personal_token=<token> .

After successfull build the container can be started and Vault will start in production mode. The config.hcl, full-chain.pem and private-key.pem of this repository will be placed at /cfg in the image. The certificates are self signed for localhost. The following command will bind a customized config and certificates.

docker run --rm -it -v /home/ubuntu/vconfig/:/cfg -p 8200:8200 example/vault

After creation we can access the defined URL and unseal Vault. Remember to store the root token and unseal key/s.

After unsealing Vault, we will connect with another terminal into the container and register the plugin. We need to set the environment variables and generate the hash.

docker exec -it <containername> bash

Inside the container: (-tls-skip-verify is used to ignore TLS verification)

root@cb1547cd5f46:/# export VAULT_ADDR='https://vault-passkeys.com:8200'
root@cb1547cd5f46:/# export VAULT_TOKEN=hvs.vcNVy3sKtvny0hlsvm73Coy6
root@cb1547cd5f46:/# SHA256=$(sha256sum /plugins/passkey | cut -d ' ' -f1)
root@cb1547cd5f46:/# vault/vault plugin register -tls-skip-verify -sha256=$SHA256 auth passkey
Success! Registered plugin: passkey

Now the UI can be used to mount the plugin. After mounting the accessor ID needs to be retrieved to create a policy.

The example policy in this repository needs to be adjusted with the correct accessor ID and mount path. After creating the policy, the relying party has to be set up to the correct values (RP ID: domain without scheme, Origin: FQDN with scheme) For example RPID: localhost, origin: https://localhost:8200

Now a user can be created and the invite link can be used to register.

Example Policy:

        #allow passkey users to read their own account
        path "auth/<MOUNTPATH>/users/{{identity.entity.aliases.<ACCESSOR_ID>.name}}" {
          capabilities = [ "read" ]
        }
        
        #allow passkey users to rename and delete their credentials
        path "auth/<MOUNTPATH>/users/ {{identity.entity.aliases.<ACCESSOR_ID>.name}}/credentials" {
          capabilities = [ "update" ]
        }
        
        #allow passkey users to rename and delete their credentials
        path "auth/<MOUNTPATH>/users/ {{identity.entity.aliases.<ACCESSOR_ID>.name}}/credentials/*" {
          capabilities = [ "update", "delete" ]
        }
        
        #allow the creation of a new passkey account at mount starting with passkey - important for users coming from a different auth method
        path "auth/<MOUNTPATH>/create" {
          capabilities = [ "update" ]
        }