OIDC Auth Sequence from Vault CLI

Avatar
Gabe Knell
  • Updated

Introduction

The OIDC method allows authentication via a configured OIDC provider using the user's web browser. This method may be initiated from the Vault UI or the command line. If you plan to support authentication via vault login -method=oidc, a localhost redirect URI must be set. This can usually be: http://localhost:8250/oidc/callback. Logins via the CLI may specify a different host and/or listening port if needed, and a URI with this host/port must match one of the configured redirected URIs. These same localhost URIs must be added to the provider's configuration as well.

Use Case

This article is intended to show the workflow of logging into Vault using OIDC through Vault CLI.

 

Workflow

Below is each step of the sequence taking place during the authentication process from the Vault CLI:

1. Start login command vault login -method=oidc
2. Generate Auth URL (CLI > Vault server)*
3. Auth URL presented to CLI (Vault server > CLI**)
4. Vault CLI opens a listener port locally (default 8250)
5. Browser opens to Auth URL (CLI > Browser)
6. Authenticate against IdP (Browser > IdP)
7. Redirect (code, state) back to browser (IdP > Browser)
8. Request (code, state) back to CLI (browser > CLI)
9. Callback (code, state) against the auth plugin (CLI > Vault server)
10. Exchange code for token (Vault server > IdP)
11. ID Token, Access Token (IdP > Vault server)
12. Auth plugin verifies ID token, gets user info with access token (Vault server > IdP)
13. User info sent back to auth plugin (IdP > Vault server)
14. Validate bound_ parameters (Vault server)
15. Vault token generated against auth plugin (Vault server> CLI)


* Inside the parenthesis of each step represents communication path.
** In this article CLI represents where you are running `vault login` from. In most scenarios, this is your laptop.

 

Additional Information:

Articles in this section

See more

Related articles