The OIDC method allows authentication via a configured OIDC provider using the user's web browser. This method may be initiated from the Vault UI or the command line. If you plan to support authentication via
vault login -method=oidc, a localhost redirect URI must be set. This can usually be:
http://localhost:8250/oidc/callback. Logins via the CLI may specify a different host and/or listening port if needed, and a URI with this host/port must match one of the configured redirected URIs. These same
localhost URIs must be added to the provider's configuration as well.
This article is intended to show the workflow of logging into Vault using OIDC through Vault CLI.
Below is each step of the sequence taking place during the authentication process from the Vault CLI:
1. Start login command vault
2. Generate Auth URL (CLI > Vault server)*
3. Auth URL presented to CLI (Vault server > CLI**)
4. Vault CLI opens a listener port locally (default 8250)
5. Browser opens to Auth URL (CLI > Browser)
6. Authenticate against IdP (Browser > IdP)
7. Redirect (code, state) back to browser (IdP > Browser)
8. Request (code, state) back to CLI (browser > CLI)
9. Callback (code, state) against the auth plugin (CLI > Vault server)
10. Exchange code for token (Vault server > IdP)
11. ID Token, Access Token (IdP > Vault server)
12. Auth plugin verifies ID token, gets user info with access token (Vault server > IdP)
13. User info sent back to auth plugin (IdP > Vault server)
14. Validate bound_ parameters (Vault server)
15. Vault token generated against auth plugin (Vault server> CLI)
* Inside the parenthesis of each step represents communication path.
** In this article CLI represents where you are running `vault login` from. In most scenarios, this is your laptop.
- OIDC Auth Method Docs: https://developer.hashicorp.com/vault/docs/auth/jwt
- OIDC Login (CLI) Extra Parameters: https://developer.hashicorp.com/vault/docs/auth/jwt
- OIDC Auth Method API Docs: https://developer.hashicorp.com/vault/api-docs/auth/jwt
- OIDC Learn Guide: https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth