Configuring redirect uris for cli login to vault via oidc

My vault server is at and I have set up an OIDC auth backend using GSuite as my IDP.

In the GCP credentials section (where I have set up my client id / client secret used by my OIDC auth backent), I have the 2 following redirect uris

The browser based login works as expected, since in my authorized Javascript origins I have:

When I attempt to login via cli:

vault login -format=json -method=oidc

The link that opens up in the browser I get

Access blocked: This app’s request is invalid

Screenshot 2023-02-04 at 12.54.21 PM

What am I doing wrong?

It all looks right to me… I don’t have a paid GSuite account, but I have made auth work with a free application in the past, with the following config on the Vault side

vault auth enable oidc

vault write auth/oidc/config \
  oidc_discovery_url= \
  oidc_client_id=... \
  oidc_client_secret=... \

vault write auth/oidc/role/default \
  user_claim=sub \

It rather looks like your Google-side configuration of the

redirect URI is in some way incorrect.

Τrue. I had a typo in my GCP settings. Thanks for pointing this out.

Thx, what I have changed was the way I have setup multiple redirect URLs:
This is what is working

vault write auth/oidc/role/default_role \
        allowed_redirect_uris=",http://localhost:8250/oidc/callback" \
        user_claim="sub" \
        policies="reader" \
        groups_claim="groups" \

This is how it was before:

vault write auth/oidc/role/default_role \
        allowed_redirect_uris="" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="sub" \
        policies="reader" \
        groups_claim="groups" \