Introduction
Problem
Attempting to login to the Vault UI using the OIDC authentication method does not work, as clicking the Sign in with OIDC Provider
button does not redirect you to the OIDC provider.
Prerequisites
- Vault (OSS) or Vault Enterprise.
- OIDC authentication method enabled with a role configured.
- Access to read and update the Vault OIDC configuration.
Cause
- 1. When the OIDC authentication method is selected on the Vault login page and a
default_role
is configured within the OIDC authentication method Vault will check the request URI from the browser against theallowed_redirect_uris
values within the role configuration to ensure an allowed URI is being used.
- If the URI being used is not present within the list of values for the role Vault will prevent the OIDC authentication method from being used.
- 2. If a
default_role
is not configured the issue can also occur when a role name is entered into the Role field within the Vault UI if the role is misconfigured.
The Vault UI will look as follows when this issue is present:
Solution overview:
Note: The commands used assume the OIDC authentication method is mounted at the default mount point of oidc
, adjust the command syntax as necessary if the mount point for your environment is another value.
The solution will cover the first scenario mentioned above of when selecting the OIDC method on the Vault UI without entering a role name presents the issue. A note at the end will address the second scenario of manually typing in a role name.
This scenario assumes that you are intending to login to Vault using the URI https://vault.nicecorp.com:8200, this should be changed so suit your environment.
1. Open a terminal and run vault monitor
. Leave this running.
2. Open your browser and navigate to the Vault UI.
3. Select OIDC from the Method drop down.
4. Switch back to the terminal window and examine to output to confirm the following message is present:
2022-11-22T01:14:50.016Z [WARN] auth.oidc.auth_oidc_77418754: unauthorized redirect_uri: redirect_uri=https://vault.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback
5. Read the OIDC configuration within Vault to determine the value for default_role
:
$ vault read -field=default_role auth/oidc/config
nicecorp-oidc-default-role
6. Read the configuration of the role:
$ vault read -field=allowed_redirect_uris auth/oidc/role/nicecorp-oidc-default-role
[http://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback https://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback]
7. Update the configuration of the role to include the required URI:
$ vault write auth/oidc/role/nicecorp-oidc-default-role allowed_redirect_uris="http://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback","https://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback","https://vault.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback","http://localhost:8250/oidc/callback
Note: Ensure the localhost:8250
URI is included in the list, as it is used by the Vault CLI to support OIDC logins.
8. Refresh the browser window and once again select OIDC from the Method drop down - if updated successfully the text on the button should update to reflect the name of your OIDC provider, i.e. Sign in with Okta, and upon clicking the button the browser will be redirected to the OIDC provider to complete authentication.
Scenario two: Issue occurs after manually entering the role name.
If a default role is not defined within the OIDC authentication configuration, or the issue only occurs after manually entering a role name we can re-use many of the above steps while altering the work flow minimally. This example assumes the name of the role experiencing an issue is nicecorp-oidc-dev-role
1. Open a terminal and run vault monitor
. Leave this running.
2. Open your browser and navigate to the Vault UI.
3. Select OIDC from the Method drop down.
4. Enter the role name into the Role field.
5. Switch back to the terminal window and examine to output to confirm the following message is present:
2022-11-22T01:14:50.016Z [WARN] auth.oidc.auth_oidc_77418754: unauthorized redirect_uri: redirect_uri=https://vault.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback
6. Read the configuration of the role:
$ vault read -field=allowed_redirect_uris auth/oidc/role/nicecorp-oidc-dev-role
[http://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback https://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback]
7. Update the configuration of the role to include the required URI:
$ vault write auth/oidc/role/nicecorp-oidc-dev-role allowed_redirect_uris="http://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback","https://vault-nonprod.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback","https://vault.nicecorp.com:8200/ui/vault/auth/oidc/oidc/callback","http://localhost:8250/oidc/callback
Note: Ensure the localhost:8250
URI is included in the list, as it is used by the Vault CLI to support OIDC logins.
8. Refresh the browser window and once again select OIDC from the Method drop down, then enter the role name nicecorp-oidc-dev-role
- if updated successfully the text on the button should update to reflect the name of your OIDC provider, i.e. Sign in with Okta, and upon clicking the button the browser will be redirected to the OIDC provider to complete authentication.
Outcome
Using this method you are able to determine the problematic role(s) that require updating in order to support the successful function of the OIDC provider as an authentication method within Vault.
The Vault UI will look as follows when this issue is resolved:
Additional Information
-
Vault OIDC Auth Method tutorial page: https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth
- Vault OIDC Auth Method configuration reference: https://developer.hashicorp.com/vault/api-docs/auth/jwt