Configuring redirect uris for cli login to vault via oidc

pantelis-karamolegko · February 4, 2023, 10:55am

My vault server is at https://my-vault-server.eu:1234 and I have set up an OIDC auth backend using GSuite as my IDP.

In the GCP credentials section (where I have set up my client id / client secret used by my OIDC auth backent), I have the 2 following redirect uris

https://my-vault-server.eu:1234/ui/vault/auth/oidc/oidc/callback
http://localhost:8250/oidc/callback

The browser based login works as expected, since in my authorized Javascript origins I have:

https://my-vault-server.eu

When I attempt to login via cli:

vault login -format=json -method=oidc

The link that opens up in the browser I get

Access blocked: This app’s request is invalid

Screenshot 2023-02-04 at 12.54.21 PM

What am I doing wrong?

maxb · February 4, 2023, 2:33pm

It all looks right to me… I don’t have a paid GSuite account, but I have made auth work with a free console.cloud.google.com application in the past, with the following config on the Vault side

vault auth enable oidc

vault write auth/oidc/config \
  oidc_discovery_url=https://accounts.google.com \
  oidc_client_id=... \
  oidc_client_secret=... \
  default_role=default

vault write auth/oidc/role/default \
  user_claim=sub \
  oidc_scopes=email,profile
  allowed_redirect_uris=https://vault.example.tld/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback

It rather looks like your Google-side configuration of the

redirect URI is in some way incorrect.

pantelis-karamolegko · February 4, 2023, 6:16pm

Τrue. I had a typo in my GCP settings. Thanks for pointing this out.

ricardolopes86 · September 12, 2023, 1:51pm

Thx, what I have changed was the way I have setup multiple redirect URLs:
This is what is working

vault write auth/oidc/role/default_role \
        allowed_redirect_uris="https://vault.mydomain.com/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
        user_claim="sub" \
        policies="reader" \
        groups_claim="groups" \
      verbose_oidc_logging="true"

This is how it was before:

vault write auth/oidc/role/default_role \
        allowed_redirect_uris="https://vault.mydomain.com/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback" \
        user_claim="sub" \
        policies="reader" \
        groups_claim="groups" \
      verbose_oidc_logging="true"

Topic		Replies	Views
OIDC Integration with Google Vault	1	667	November 26, 2019
What exactly are `allowed_redirect_uris`? Vault	4	935	May 4, 2022
Using OIDC as auth type connecting to Vault from CLI always shows the redirect url as localhost Vault	7	578	August 31, 2023
Sign into vault via keycloak oidc Vault	1	921	June 9, 2022
Trying to connect via OIDC with gitlab Vault	5	1445	October 21, 2021

Configuring redirect uris for cli login to vault via oidc

Related topics