Introduction
Problem
"error checking oidc discovery URL" error is displayed to the end-user when configuring the OIDC auth method.
Cause
When configuring the OIDC auth method, the Vault administrator provides an OIDC discovery URL. The "/.well-known/openid-configuration" part is added by Vault automatically.
This URL contains a document providing certain endpoints needed for the OIDC workflow, as well as other information, such as the Issuer.
In order for the Vault OIDC authentication method to work flawlessly, a connection to this document is needed.
Overview of possible solutions (if applicable)
Solutions:
The "error checking oidc discovery URL" which is returned to the Vault's administrator upon configuring OIDC auth method, is a general one and does not contain the actual reason for inability to reach the "/.well-known/openid-configuration" endpoint of your OIDC provider.
In order to reveal the actual reason, whether it is a network error, certificate error, etc, you would need to check Vault's operational logs.
Example error from Vault's operational logs when configuring Vault's OIDC auth method, and Vault server is not able to reach to "/.well-known/openid-configuration" endpoint of the OIDC provider:
2025-05-13T12:05:53.785Z [ERROR] auth.oidc.auth_oidc_4ec32248: error checking oidc discovery URL: error="Get \"https://9.<SNIP>o:22554/.well-known/openid-configuration\": net/http: TLS handshake timeout"
Outcome
Tailing the Vault's operational logs when configuring the OIDC auth method would help you trace the actual error for the inability of the Vault server to reach to "/.well-known/openid-configuration" endpoint.
Additional Information
-
"oidc_discovery_url" parameter documentation
- OIDC/JWT auth documentation