Problem
When configuring OIDC authentication with PingIdentity as the provider, "error
checking oidc discovery URL" error is observed. For more detailed steps on How-to configure Ping Identity OIDC authentication with Vault, please refer to this article.
$ vault write auth/ping_oidc2/config \
oidc_discovery_url=https://auth.pingone.com/fd6489fd-6e0e-4342-b9de-2bb7695312/as/.well-known/openid-configuration \
oidc_client_id=$PING_CLIENT_ID \
oidc_client_secret=$PING_CLIENT_SECRET \
default_role="demo"
Error writing data to auth/ping_oidc2/config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/ping_oidc2/config
Code: 400. Errors:
* error checking oidc discovery URL
Prerequisites
- Vault
- PingIdentity OIDC provider
- Vault OIDC auth method
- No firewall rule in place that will block network connectivity
Cause
When configuring the Vault OIDC auth method parameter oidc_discovery_url, a Vault admin might choose the seemingly obvious option from the list of PingIdentity OIDC configuration URLs - "OIDC Discovery Endpoint":
https://auth.pingone.com/{{Environment ID}}/as/.well-known/openid-configuration
However, the "PingID Issuer URL" is the correct option to use.
https://auth.pingone.com/{{Environment ID}}/as
Solution
- Use PingID Issuer URL instead of PingID OIDC Discovery Endpoint URL to set Vault OIDC configuration
oidc_discovery_url.