{"id":13564801,"url":"https://github.com/puppetlabs/vault-plugin-secrets-oauthapp","last_synced_at":"2025-12-30T18:40:28.113Z","repository":{"id":40281433,"uuid":"209159033","full_name":"puppetlabs/vault-plugin-secrets-oauthapp","owner":"puppetlabs","description":"OAuth 2.0 secrets plugin for HashiCorp Vault supporting a variety of grant types","archived":true,"fork":false,"pushed_at":"2024-11-18T16:48:51.000Z","size":799,"stargazers_count":94,"open_issues_count":7,"forks_count":11,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-12-15T16:09:33.852Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/puppetlabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-17T21:23:20.000Z","updated_at":"2024-11-18T16:51:45.000Z","dependencies_parsed_at":"2024-06-18T21:36:12.792Z","dependency_job_id":"2a004761-7f80-4ef9-9a53-8ab12f3c21dd","html_url":"https://github.com/puppetlabs/vault-plugin-secrets-oauthapp","commit_stats":null,"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puppetlabs%2Fvault-plugin-secrets-oauthapp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puppetlabs%2Fvault-plugin-secrets-oauthapp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puppetlabs%2Fvault-plugin-secrets-oauthapp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/puppetlabs%2Fvault-plugin-secrets-oauthapp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/puppetlabs","download_url":"https://codeload.github.com/puppetlabs/vault-plugin-secrets-oauthapp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237181509,"owners_count":19268050,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T13:01:36.202Z","updated_at":"2025-10-19T17:31:12.454Z","avatar_url":"https://github.com/puppetlabs.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# vault-plugin-secrets-oauthapp\n\nThis is a standalone backend plugin for use with [HashiCorp\nVault](https://github.com/hashicorp/vault).\n\nThis plugin provides a secure wrapper around OAuth 2 authorization code, refresh\ntoken, device code, and client credentials grant types, allowing a Vault client\nto request authorization on behalf of a user and perform actions using a\nnegotiated OAuth 2 access token.\n\n## Usage\n\nOnce you have the binary, you will need to register the plugin with Vault.\nFollow [the instructions in the Vault\ndocumentation](https://www.vaultproject.io/docs/internals/plugins.html#plugin-registration)\nto add the plugin to the catalog. We will assume it is registered under the name\n`oauthapp`.\n\nEnable the plugin at the path of your choosing:\n\n```\n$ vault secrets enable -path=oauth2 oauthapp\nSuccess! Enabled the oauthapp secrets engine at: oauth2/\n```\n\nConfigure it with the necessary information to exchange tokens:\n\n```\n$ vault write oauth2/servers/github-puppetlabs \\\n    provider=github \\\n    client_id=aBcD3FgHiJkLmN0pQ \\\n    client_secret=AbCd3fGh1jK1MnoPqRs7uVwXYz\nSuccess! Data written to: oauth2/servers/github-puppetlabs\n```\n\nOnce the client secret has been written, it will never be exposed again.\n\nYou can have as many server configurations as you need for your use case,\nalthough it is common to only have one. Server configurations need not share the\nsame provider.\n\nIt is also possible to configure a default server:\n\n```\n$ vault write oauth2/config default_server=github-puppetlabs\nSuccess! Data written to: oauth2/config\n```\n\nWhen a default server is set in the plugin configuration, it isn't necessary to\nspecify the `server` field when writing credentials.\n\n### Authorization code exchange flow\n\nFrom a Vault client, request an authorization code URL:\n\n```\n$ vault write oauth2/auth-code-url \\\n    server=github-puppetlabs \\\n    state=foo \\\n    scopes=bar,baz\nKey    Value\n---    -----\nurl    https://github.com/login/oauth/authorize?client_id=aBcD3FgHiJkLmN0pQ\u0026response_type=code\u0026scope=bar+baz\u0026state=foo\n```\n\nIf you don't specify a state value, the plugin will generate one for you and return it in the response as well.\n\nAfter redirecting the user to that URL and receiving the resulting temporary\nauthorization code in your callback handler, you can create a permanent\ncredential that automatically refreshes:\n\n```\n$ vault write oauth2/creds/my-user-auth \\\n    server=github-puppetlabs \\\n    code=zYxWvU7sRqP\nSuccess! Data written to: oauth2/creds/my-user-auth\n```\n\nAssuming the refresh token remains valid, an access token is available any time at the same endpoint:\n\n```\n$ vault read oauth2/creds/my-user-auth\nKey             Value\n---             -----\naccess_token    nLlBg9Lmd7n1X96bw/xcW9HvyOHzxj19z3zXKv0XXxr8eLjQSerf4iyPDRCucSHQN+c7fnKhPsSWbWg0\nserver          github-puppetlabs\ntype            Bearer\n```\n\nNote that the client secret and refresh token are never exposed to Vault\nclients.\n\nAlternatively, if a refresh token is obtained in some other way you can\nskip the auth code URL step and pass the token directly to the creds\nwrite instead of the response code:\n\n```\n$ vault write oauth2/creds/my-user-auth \\\n    server=github-puppetlabs \\\n    grant_type=refresh_token \\\n    refresh_token=TGUgZ3JpbGxlPw==\nSuccess! Data written to: oauth2/creds/my-user-auth\n```\n\n### Device code flow\n\nThe [device code](https://oauth.net/2/grant-types/device-code/) grant type\nallows a user to authenticate outside of a browser session. This plugin supports\nthe device code flow and automatically handles polling the authorization server\nfor a valid access token.\n\nNot all providers support device code grants. Check the provider's documentation for more information.\n\nTo initiate the device code flow:\n\n```\n$ vault write oauth2/creds/my-user-auth \\\n    server=github-puppetlabs \\\n    grant_type=urn:ietf:params:oauth:grant-type:device_code\nKey                 Value\n---                 -----\nexpire_time         2021-03-10T23:35:00.295229233Z\nuser_code           BDWD-HQPK\nverification_uri    https://github.com/login/device\n```\n\nThe plugin will manage the device code (similar to a refresh token) and will\nnever present it to you. You should forward the user code and verification URL\nto the authorization subject for them to take action to log in.\n\nInitially, when you try to read the credential back, you'll get an error letting\nyou know the token is pending issuance because the user hasn't yet performed the\nrequired verification steps:\n\n```\n$ vault read oauth2/creds/my-user-auth\nError reading oauth2/creds/my-user-auth: Error making API request.\n\nURL: GET http://localhost:8200/v1/oauth2/creds/my-user-auth\nCode: 400. Errors:\n\n* token pending issuance\n```\n\nHowever, within a few seconds of the user verifying their identity, you should\nsee the access token:\n\n```\n$ vault read oauth2/creds/my-user-auth\nKey             Value\n---             -----\naccess_token    aGVsbG8gaGVsbG8gaGVsbG8K\nexpire_time     2021-03-27T00:15:38.72796606Z\nserver          github-puppetlabs\ntype            Bearer\n```\n\n### Client credentials flow\n\nFrom a Vault client, configure a server that supports the client credentials\ngrant type and write a credential under the `self` endpoint that references the\nserver:\n\n```\n$ vault write oauth2/servers/auth0-example \\\n    provider=oidc \\\n    provider_options=issuer_url=https://dev-example.us.auth0.com/ \\\n    client_id=aBcD3FgHiJkLmN0pQ \\\n    client_secret=AbCd3fGh1jK1MnoPqRs7uVwXYz\nSuccess! Data written to: oauth2/servers/auth0-example\n```\n```\n$ vault write oauth2/self/my-machine-auth \\\n    server=auth0-example \\\n    token_url_params=audience=https://dev-example.us.auth0.com/api/v2/ \\\n    scopes=read:users\nSuccess! Data written to: oauth2/self/my-machine-auth\n```\n\nThe token will be negotiated on demand going forward using the desired\nconfiguration:\n\n```\n$ vault read oauth2/self/my-machine-auth\nKey                 Value\n---                 -----\naccess_token        SSBhbSBzbyBzbWFydC4gUy1NLVItVC4=\nexpire_time         2021-01-16T15:38:21.105335834Z\nscopes              [read:users]\nserver              auth0-example\ntoken_url_params    map[audience:https://dev-example.us.auth0.com/api/v2/]\ntype                Bearer\n```\n\n## Tips\n\nFor some operations, you may find that you need to provide a map of data for a\nfield. When using the Vault CLI, you can repeat the name of the field for each\nkey-value pair of the map and use `=` to separate keys from values. For example:\n\n```\n$ vault write oauth2/servers/oidc-example \\\n    provider_options=issuer_url=https://login.example.com \\\n    provider_options=extra_data_fields=id_token_claims\n```\n\n## Upgrading\n\nFor instructions on how to upgrade from previous versions of the plugin, see the\n[UPGRADING](UPGRADING.md) document.\n\n## Performance tuning\n\nThere are several categories of performance tuning options you may want to\nadjust to get the most out of this plugin. All of the options are fields set\nwhen writing this plugin's configuration to the `config` endpoint.\n\n### Provider timeouts\n\nIt can be inconvenient when a provider you're working with doesn't respond to\nrequests in a reasonable time. Therefore, we apply a default timeout of 30\nseconds to all outbound requests. We also allow for a bit of leeway when a token\nis getting close to its expiry, preferring to wait longer to avoid clients\nhaving to retry requests to Vault. This is applied using a logarithmic algorithm\nrelative to the usual grace period we'd use for refreshing.\n\nYou can set the initial provider timeout using the\n`tune_provider_timeout_seconds` option. If you set it to 0, we won't apply any\ntimeout.\n\nThe default leeway factor is 1.5, i.e., a maximum timeout of 45 seconds when a\ntoken is close to expiration. You can set a different factor using the\n`tune_provider_timeout_expiry_leeway_factor` option. To disable timeout scaling,\nset the leeway factor to 1.\n\nThe provider timeout is applied when a request is made to a provider. If a\nplugin endpoint might make multiple requests to a provider, for example if\nmultiple client secrets are specified in a server configuration, the total\nrequest time for a client of this plugin may be significantly higher than the\nvalue of the provider timeout.\n\n### Automatic refreshing\n\nTo avoid having to contact providers when tokens are read from storage and need\nto be refreshed, this plugin will automatically check and attempt to refresh\ntokens that are close to expiring on a regular interval. The default check\ninterval is 1 minute. The refresh check has a grace period, called the expiry\ndelta, that extends beyond the refresh check interval to allow for some overlap.\nThe default expiry delta factor is 1.2, or 72 seconds.\n\nYou can set the refresh check interval using the\n`tune_refresh_check_interval_seconds` option and the expiry delta factor using\nthe `tune_refresh_expiry_delta_factor` option.\n\nIf you don't need this behavior, for example because your provider doesn't use\nrefresh tokens, you can set `tune_refresh_check_interval_seconds` to 0.\n\nAlternatively, if you have a relatively small number of tokens and your provider\nissues tokens with very long expirations, you may want to use a longer refresh\ninterval than the default to avoid having to loop over all credentials in\nstorage every minute.\n\n### Automatic reaping\n\nThere are a number of situations that result in stored tokens becoming unusable.\nBroadly, we group these into the following categories:\n\n* Expired with no refresh token\n* Expired and refresh failed because the provider rejected the refresh request\n* Expired and enough transient errors have occurred to discard the token (for\n  example, instead of rejecting a token, the provider hangs the connection)\n* Expired and the server referenced by the credential no longer exists\n\nThis plugin can automatically delete tokens that are expired and meet one of\nthese criteria using a process called reaping. Like the automatic refreshing,\nreaping runs on an interval, by default 5 minutes. You can change the reap\ninterval using the `tune_reap_check_interval_seconds` option.\n\nYou can disable the reaper entirely by setting the option to 0, or you can\nenable a dry run mode using the `tune_reap_dry_run` option. When in dry run\nmode, you can check your Vault server logs to see which credentials would be\ndeleted.\n\nThe criteria are mutually exclusive, so for example, a token that has a provider\nrefresh rejection will always have that criterion applied to it, even if it also\nhas transient errors.\n\nEach of the criteria have their own tuning options documented in the `config`\nendpoint. Note that the defaults should be reasonable for most users. You can\ndisable any of the criteria by setting its corresponding option to 0.\n\n## Endpoints\n\n### `config`\n\n#### `GET` (`read`)\n\nRetrieve the current configuration settings.\n\n#### `PUT` (`write`)\n\nWrite new configuration settings. This endpoint completely replaces the existing\nconfiguration, so you must specify all desired fields, even when updating.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `default_server` | The name of the authorization server to use as a default if not specified when configuring a credential. | String | None\u003csup id=\"ret-1\"\u003e[1](#footnote-1)\u003c/sup\u003e | No |\n| `tune_provider_timeout_seconds` | Maximum duration to wait for a response from the provider for background credential operations. | Integer | 30 | No |\n| `tune_provider_timeout_expiry_leeway_factor` | A multiplier for the `tune_provider_timeout_seconds` option to allow a slow provider to respond as a credential approaches expiration. Must be at least 1. | Number | 1.5 | No |\n| `tune_refresh_check_interval_seconds` | Number of seconds between checking tokens for refresh. Set to 0 to disable automatic background refreshing. | Integer | 60 | No |\n| `tune_refresh_expiry_delta_factor` | A multiplier for the refresh check interval to use to detect tokens that will expire soon after the impending refresh. Must be at least 1. | Number | 1.2 | No |\n| `tune_reap_check_interval_seconds` | Number of seconds between running the reaper process. Set to 0 to disable automatic reaping of expired credentials. | Integer | 300\u003csup id=\"ret-2\"\u003e[2](#footnote-2)\u003c/sup\u003e | No |\n| `tune_reap_dry_run` | If set, the reaper process will only report which credentials it would remove, but not actually delete them from storage. | Boolean | False | No |\n| `tune_reap_non_refreshable_seconds` | Minimum additional time to wait before automatically deleting an expired credential that does not have a refresh token. Set to 0 to disable this reaping criterion. | Integer | 86400 | No |\n| `tune_reap_revoked_seconds` | Minimum additional time to wait before automatically deleting an expired credential that has a revoked refresh token. Set to 0 to disable this reaping criterion. | Integer | 3600 | No |\n| `tune_reap_transient_error_attempts` | Minimum number of refresh attempts to make before automatically deleting an expired credential. Set to 0 to disable this reaping criterion. | Integer | 10 | No |\n| `tune_reap_transient_error_seconds` | Minimum additional time to wait before automatically deleting an expired credential that cannot be refreshed because of a transient problem like network connectivity issues. Set to 0 to disable this reaping criterion. | Integer | 86400 | No |\n| `tune_reap_server_deleted_seconds` | Minimum additional time to wait before automatically deleting an expired credential that no longer references a valid server. Set to 0 to disable this reaping criterion. | Integer | 86400 | No |\n\n#### `DELETE` (`delete`)\n\nRemove the current configuration, resetting tuning options to the plugin\ndefaults.\n\n### `servers`\n\n#### `GET` (`list`)\n\nShow the names of all currently available servers.\n\n### `servers/:name`\n\n#### `GET` (`read`)\n\nRetrieve the configuration for a given server (except the client secret).\n\n#### `PUT` (`write`)\n\nCreate or update the configuration for a given server.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `client_id` | The OAuth 2.0 client ID. | String | None | Yes |\n| `client_secret` | The OAuth 2.0 client secret. Prepended to the value of `client_secrets` if it is also present. | String | None | No |\n| `client_secrets` | An ordered list of OAuth 2.0 client secrets to try. Appended to the value of `client_secret` if it is also present. | List of String | None | No |\n| `auth_url_params` | A map of additional query string parameters to provide to the authorization code URL. | Map of String🠦String | None | No |\n| `provider` | The name of the provider to use. See [the list of providers](#providers). | String | None | Yes |\n| `provider_options` | Options to configure the specified provider. | Map of String🠦String | None | [Refer to provider documentation](#providers) |\n\n#### `DELETE` (`delete`)\n\nRemove the configuration for a given server. Note that this does not revoke any\nstored credentials that reference the server name, but those credentials will no\nlonger be able to be updated automatically.\n\nIf you write a new server configuration with the same name, existing credentials\nthat reference the server will start to use it.\n\n### `auth-code-url`\n\n#### `PUT` (`write`)\n\nRetrieve an authorization code URL for the given server. Some providers may not\nprovide the plugin with information about this URL, in which case accessing this\nendpoint will return an error.\n\nThis operation does not change any underlying storage, but because the state\nparameter is sensitive, we use a write operation and include it in the request\nbody to prevent proxies from inadvertently logging it.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `server` | The name of a server to use for the authorization code exchange flow. Inherits from the plugin configuration's `default_server` field if present, and may override it. | String | Inherited | Yes |\n| `auth_url_params` | A map of additional query string parameters to provide to the authorization code URL. If any keys in this map conflict with the parameters stored in the configuration, the configuration's parameters take precedence. | Map of String🠦String | None | No |\n| `redirect_url` | The URL to redirect to once the user has authorized this application. | String | None | No |\n| `scopes` | A list of explicit scopes to request. | List of String | None | No |\n| `state` | The unique state to send to the authorization URL. Automatically generated if not provided. | String | None | No |\n| `provider_options` | A list of options to pass on to the provider for configuring the authorization code URL. | Map of String🠦String | None | [Refer to provider documentation](#providers) |\n\n### `creds/:name`\n\nThis path is for tokens to be obtained using the OAuth 2.0 authorization code,\nrefresh token, and device code flows.\n\n#### `GET` (`read`)\n\nRetrieve a current access token for the given credential. Reuses previous token\nif it is not yet expired or close to it. Otherwise, requests a new credential\nusing the `refresh_token` grant type if possible.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `minimum_seconds` | Minimum additional duration to require the access token to be valid for. | Integer | 10\u003csup id=\"ret-3-a\"\u003e[3](#footnote-3)\u003c/sup\u003e | No |\n\n#### `PUT` (`write`)\n\nCreate or update a credential using a supported three-legged flow. This\noperation will make a request for a new credential using the specified grant\ntype.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `server` | The name of a server to use for the credential flow. Inherits from the plugin configuration's `default_server` field if present, and may override it. | String | Inherited | Yes |\n| `grant_type` | The grant type to use. Must be one of `authorization_code`, `refresh_token`, or `urn:ietf:params:oauth:grant-type:device_code`. | String | `authorization_code`\u003csup id=\"ret-4\"\u003e[4](#footnote-4)\u003c/sup\u003e | Yes |\n| `maximum_expiry_seconds` | The upper limit for a token's valid duration. The lesser of this value and the expiry provided in the response will be used. If the server does not provide an expiry (i.e., the server considers the token to be valid indefinitely), this parameter takes precedence and the token will be refreshed if possible. | Integer | None | No |\n| `provider_options` | A list of options to pass on to the provider for configuring this token exchange. | Map of String🠦String | None | [Refer to provider documentation](#providers) |\n\nThis operation takes additional parameters depending on which grant type is\nchosen:\n\n##### `authorization_code` (default)\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `code` | The response code to exchange for a full token. | String | None | Yes |\n| `redirect_url` | The same redirect URL as specified in the authorization code URL. | String | None | Refer to provider documentation |\n\n##### `refresh_token`\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `refresh_token` | The refresh token retrieved from the provider by some means external to this plugin. | String | None | Yes |\n\n##### `urn:ietf:params:oauth:grant-type:device_code`\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `device_code` | A device code that has already been retrieved. If not specified, a new device code will be retrieved. | String | None | No |\n| `scopes` | If a device code is not specified, the scopes to request. | List of String | None | No |\n\n#### `DELETE` (`delete`)\n\nRemove the credential information from storage. This does not revoke the token,\nso keep in mind that applications may hold any requested access token until its\nexpiry.\n\n### `self/:name`\n\nThis path is for tokens to be obtained using the OAuth 2.0 client credentials\nflow.\n\n#### `GET` (`read`)\n\nRetrieve a current access token for the underlying OAuth 2.0 application. Reuses\nprevious token if it is not yet expired or close to it. Otherwise, requests a\nnew credential using the `client_credentials` grant type.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `minimum_seconds` | Minimum additional duration to require the access token to be valid for. | Integer | 10\u003csup id=\"ret-3-b\"\u003e[3](#footnote-3)\u003c/sup\u003e | No |\n\n#### `PUT` (`write`)\n\nConfigure a client credentials grant for the credential with the given name.\nWriting configuration will cause a new token to be retrieved and validated using\nthe `client_credentials` grant type.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `server` | The name of a server to use for the credential flow. Inherits from the plugin configuration's `default_server` field if present, and may override it. | String | Inherited | Yes |\n| `token_url_params` | A map of additional query string parameters to provide to the token URL. | Map of String🠦String | None | No |\n| `scopes` | A list of explicit scopes to request. | List of String | None | No |\n| `maximum_expiry_seconds` | The upper limit for a token's valid duration. The lesser of this value and the expiry provided in the response will be used. If the server does not provide an expiry (i.e., the server considers the token to be valid indefinitely), this parameter takes precedence. | Integer | None | No |\n| `provider_options` | A list of options to pass on to the provider for configuring this token exchange. | Map of String🠦String | None | No |\n\n#### `DELETE` (`delete`)\n\nRemove the credential information from storage.\n\n### `sts/:name`\n\nThis path is for tokens to be obtained using the [RFC 8693 token exchange\nflow](https://datatracker.ietf.org/doc/html/rfc8693). The credential identified\nby the `name` path parameter must be an existing credential that exists under\nthe corresponding `creds/:name` path.\n\n#### `GET` (`read`)\n\nRetrieve a new access token by performing a token exchange request on demand.\nThe token exchange operation always sends the access token from the\ncorresponding credential as the subject token and explicitly requests a new\naccess token from the authorization server.\n\nParameters:\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| `scopes` | A list of explicit scopes to request. | List of String | None | No |\n| `audiences` | A list of explicit audiences to request. | List of String | None | No |\n| `resources` | A list of explicit resources to request. | List of String | None | No |\n\n## Providers\n\n### Bitbucket (`bitbucket`)\n\n[Documentation](https://developer.atlassian.com/cloud/bitbucket/oauth-2/)\n\n### GitHub (`github`)\n\n[Documentation](https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/)\n\n### GitLab (`gitlab`)\n\n[Documentation](https://docs.gitlab.com/ee/api/oauth2.html)\n\n### Google (`google`)\n\n[Documentation](https://developers.google.com/identity/protocols/oauth2)\n\n#### Configuration options\n\n| Name | Description | Default | Required |\n|------|-------------|---------|----------|\n| `extra_data_fields` | A comma-separated list of subject fields to expose in the credential endpoint. Valid fields are `id_token`, `id_token_claims`, and `user_info`. | None | No |\n\n#### Credential options\n\n| Name | Description | Supported flows | Default | Required |\n|------|-------------|-----------------|---------|----------|\n| `nonce` | The same nonce as specified in the authorization code URL. | Authorization code exchange | None | If present in the authorization code URL |\n\n### Microsoft Azure AD (`microsoft_azure_ad`)\n\n[Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow)\n\n#### Configuration options\n\n| Name | Description | Default | Required |\n|------|-------------|---------|----------|\n| `tenant` | The tenant to authenticate to. | `organizations` | No |\n\n#### Authorization code URL options\n\n| Name | Description | Default | Required |\n|------|-------------|---------|----------|\n| `tenant` | The tenant to authenticate to. Ignored if the `tenant` option is specified in the server configuration. | Inherited | No |\n\n#### Credential options\n\n| Name | Description | Supported flows | Default | Required |\n|------|-------------|-----------------|---------|----------|\n| `tenant` | The tenant to authenticate to. Ignored if the `tenant` option is specified in the server configuration. | All | Inherited | No |\n\n### OpenID Connect (`oidc`)\n\nThis provider implements the OpenID Connect protocol version 1.0.\n\n[Documentation](https://openid.net/developers/specs/)\n\n#### Configuration options\n\n| Name | Description | Default | Required |\n|------|-------------|---------|----------|\n| `issuer_url` | The URL to an issuer of OpenID JWTs with an accessible `.well-known/openid-configuration` resource. | None | Yes |\n| `extra_data_fields` | A comma-separated list of subject fields to expose in the credential endpoint. Valid fields are `id_token`, `id_token_claims`, and `user_info`. | None | No |\n\n#### Credential options\n\n| Name | Description | Supported flows | Default | Required |\n|------|-------------|-----------------|---------|----------|\n| `nonce` | The same nonce as specified in the authorization code URL. | Authorization code exchange | None | If present in the authorization code URL |\n\n### Slack (`slack`)\n\n[Documentation](https://api.slack.com/docs/oauth)\n\n### Custom (`custom`)\n\nThis provider allows you to specify the required endpoints for negotiating an\narbitrary OAuth 2 authorization code grant flow.\n\n#### Configuration options\n\n| Name | Description | Default | Required |\n|------|-------------|---------|----------|\n| `auth_code_url` | The URL to submit the initial authorization code request to. | None | No |\n| `device_code_url` | The URL to subject a device authorization request to. | None | No |\n| `token_url` | The URL to use for exchanging temporary codes and refreshing access tokens. | None | Yes |\n| `auth_style` | How to authenticate to the token URL. If specified, must be one of `in_header` or `in_params`. | Automatically detect | No |\n\n\n## Footnotes\n\n\u003cspan id=\"footnote-1\"\u003e\u003csup\u003e1\u003c/sup\u003e For users upgrading from versions prior to 3.0.0, the default server will automatically be set to a legacy server for backward compatibility. \u003csmall\u003e[↩](#ret-1)\u003c/small\u003e\u003c/span\u003e\n\n\u003cspan id=\"footnote-2\"\u003e\u003csup\u003e2\u003c/sup\u003e For users upgrading from versions prior to\n2.2.0 with valid configurations, the reaper will not be automatically enabled\nunless you replace your configuration. \u003csmall\u003e[↩](#ret-2)\u003c/small\u003e\u003c/span\u003e\n\n\u003cspan id=\"footnote-3\"\u003e\u003csup\u003e3\u003c/sup\u003e The default is 10 seconds as specified in the\nGo [OAuth 2.0 library](https://github.com/golang/oauth2) unless the token does\nnot expire. \u003csmall\u003e↩ [a](#ret-3-a) [b](#ret-3-b)\u003c/small\u003e\u003c/span\u003e\n\n\u003cspan id=\"footnote-4\"\u003e\u003csup\u003e4\u003c/sup\u003e For compatibility, if `grant_type` is not\nprovided and `refresh_token` is set, the `grant_type` will default to\n`refresh_token`. \u003csmall\u003e[↩](#ret-4)\u003c/small\u003e\u003c/span\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpuppetlabs%2Fvault-plugin-secrets-oauthapp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpuppetlabs%2Fvault-plugin-secrets-oauthapp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpuppetlabs%2Fvault-plugin-secrets-oauthapp/lists"}