secure k8 s

Auth

Summary: Authentication in OpenBao verifies who a client is and issues a token; everything else hangs off that token. Methods are pluggable and mount at paths under auth/.

Sources: raw/docs/concepts/auth.md, raw/docs/auth/index.md, raw/docs/auth/*.md.

Last updated: 2026-05-19

What it does

Before a client can do anything else, it must authenticate against an auth method. The method verifies the client’s identity (LDAP password, Kubernetes service-account JWT, AppRole role/secret ID, etc.) and OpenBao issues a token with policies attached. From then on every request carries that token (source: raw/docs/concepts/auth.md).

Built-in methods

User-targeted:

  • userpass — local username/password.
  • ldap — LDAP / ActiveDirectory.
  • token — direct token presentation (cannot be disabled; this is the “token store” — source: raw/docs/auth/token.md).
  • radius — RADIUS server.
  • kerberos — SPNEGO/Kerberos tickets.
  • cert — client TLS certificate.
  • jwt / oidc — JWTs from any issuer; OIDC providers documented for Auth0, Azure AD, ForgeRock, GitLab, Google, IBM ISAM, Keycloak, Kubernetes, Okta, SecureAuth (source: raw/docs/auth/jwt/oidc-providers/*).

Machine-targeted:

  • approle — role ID + secret ID. The recommended method for servers (source: raw/docs/auth/index.md).
  • kubernetes — verifies a pod’s service-account JWT.

Multi-factor: see raw/docs/auth/login-mfa/.

Mount mechanics

Auth methods mount at auth/<type> by default but can be remounted; the same method can be mounted multiple times at different paths (source: raw/docs/auth/index.md).

$ bao auth enable userpass
$ bao auth enable -path=corp-ldap ldap

Enabling/listing/tuning/disabling uses the standard bao auth CLI verbs (source: raw/docs/commands/auth/).

Tokens and leases

Every successful login returns a token. Tokens carry a lease — clients must renew before the TTL expires or reauthenticate (source: raw/docs/concepts/auth.md). See tokens and leases.

Identity tie-in

When a client authenticates via any method except token, OpenBao either attaches the resulting alias to an existing entity or creates a new one. Multiple aliases (e.g. GitHub + LDAP for the same human) can map to a single entity (source: raw/docs/concepts/identity.md).