OIDC Login via CLI going through a Load Balancer from Local Workstation

Avatar
Laura Buckley
  • Updated
By leveraging several additional parameters it is possible to do an OIDC Login from CLI  and generate a URL to be used on a workstation browser where the request needs to go via a Load Balancer back to the Vault server.

 

Prerequisites (if applicable)

  • Vault v1.5 or later
  • Vault OIDC auth method already configured
  • Access to the Vault CLI on the Vault server
  • Internet browser on your local machine
  • Familiarity with operating Vault
  • Familiarity with OIDC / OIDC auth method
  • The Load Balancer is configured to redirect the OIDC login request from the workstation to the Vault server where the OIDC login via CLI was initiated. Configuration of the Load Balancer is beyond the scope of this document.


 

Procedure

This guide assumes the OIDC auth method is already configured and servicing logins. This guide is intended to highlight the use of additional parameters when initiating the OIDC login via CLI to ensure that the resultant URL, when copied/pasted into an Internet browser on a workstation, is able to be redirected via the Load Balancer in front of the Vault server.

 

Here is an example OIDC CLI login command, explanations for the used parameters will be provided below:

 

vault login -method=oidc \
    callbackhost="loadbalancer.vault.company.com" \
    callbackport="443" \
    callbackmethod=https \
    listenaddress=$(hostname -i) \
    port="8250" 
    skip_browser=true \
    role=test

 

vault login -method=oidc is the basis of initiating the login using the OIDC method.

callbackhost is where the request from the URL on the workstation browser should be directed to. Here the Load Balancer is specified, meaning that the request from the workstation will not attempt to go directly to the Vault server, but instead to the Load Balancer.

callbackport is the port that the Load Balancer is listening on to receive traffic.

callbackmethod is to specify if the the Load Balancer is expecting HTTP or HTTPS traffic.

listenaddress is the address on the Vault server on which to start the [temporary] listener on which to receive the login request. This overrides what is specified in the allowed_redirect_uris.

port is the port on which the Vault server will start the [temporary] listener on which to receive the login request.

skip_browser stops the OIDC CLI login from attempting to launch a browser local to the Vault server. The login request will be completed via a browser on a workstation.

role is the name of the role against which the login is being attempted.

 

Outcome

Once the OIDC CLI command is entered with the above mentioned parameters and correct values, the URL returned may be copied/pasted into a browser on a local workstation. The login request will be redirected from the workstation to the Load Balancer, instead of directly to the Vault server. It is the Load Balancer's function to in turn send this inbound request to the correct Vault server from which it originated from on port 8250, so the temporary started listener is able to receive the forwarded JWT token from the browser. The OIDC login will then proceed as per normal.

 

Additional References

Vault Documentation: Use JWT/OIDC authentication

Vault Documentation: OIDC Login CLI

Vault Tutorial: Secure workflows with OIDC authentication

Related KB Article: OIDC Login via CLI on a Headless Server

 

 

 

 

 


 

Articles in this section

See more