Navigating namespace handling through Query Parameter in Vault 1.6+: Resolving ambiguities and workarounds

Avatar
Abhineet Khanwalkar
  • Updated

Description:

Prior to Vault 1.6, if namespaces are in use, they must be added as query parameters, for example:

https://vault.example.com:8200/ui/vault/auth/oidc/oidc/callback?namespace=my_ns

For Vault 1.6+, it is no longer necessary to add the namespace as a query parameter in the redirect URI, if namespace_in_state is set totrue, which is the default for new configs. Refer this.

But, sometimes when the clients are using the Vault 1.6+ version, there are scenarios even when setting namespace_in_state to true and by not specifying the namespace explicitly in the query parameter, the customer may get errors for eg "Vault login failed: expired or missing OAuth state".

In order to resolve this error, there is a workaround to fix this out. Discussing one such scenario here :

When configuring HCP Vault with ADFS (Active Directory Federation Services) for OIDC (OpenID Connect) authentication, you may encounter the below error message even when namespace_in_state is set to true:-

 "Vault login failed: expired or missing OAuth state".

This article provides steps to resolve this issue.

Prerequisites:

  1. Vault v1.15.0 or higher must be installed and accessible.
  2. ADFS must be running on a Windows Server.
  3. Obtain an OIDC client secret from your ADFS instance.
  4. Ensure you have access to your Vault admin token. If you do not have a valid admin token, generate a new token in the Vault UI or with the Vault CLI.
  5. Enable the OIDC authN method for Vault. [Refer to this]
  6. Create a new application group in ADFS. [Refer to this]
  7. Configure the webhook in ADFS. [Refer to this]

  • Solution:

  1. Configure OIDC Plugin with namespace_in_state=false: Use the following Vault CLI command to configure the OIDC plugin while setting the namespace_in_state parameter to false:

vault write auth/adfs/config \
oidc_discovery_url="*********/adfs" \
oidc_client_id="*******" \
oidc_client_secret="**********" \
default_role="adfs-default" \
namespace_in_state=false

  1. Set allowed_redirect_uris with namespace parameter while creating a default ADFS role in HCP Vault: Update the allowed_redirect_uris parameter on the OIDC role configuration to include the namespace=<> query parameter. This ensures that the namespace is included in the redirection URI

vault write auth/adfs/role/adfs-default \
verbose_oidc_logging=true \
bound_audiences="********" \
ttl="15m" \
allowed_redirect_uris="https://*****.hashicorp.cloud:8200/ui/vault/auth/adfs/oidc/callback?namespace=admin" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="upn" groups_claim="group" token_policies="default" \
oidc_scopes="allatclaims" \
token_max_ttl="2h" token_period="1h"

 

Ensure to replace placeholders (such as ********) with actual values relevant to your configuration.

Following these steps should resolve the "Vault login failed: expired or missing OAuth state" error when configuring Vault with ADFS for OIDC authentication.

References:

https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/adfs 

https://developer.hashicorp.com/vault/docs/auth/jwt#oidc-authentication 

Articles in this section

See more

Related articles