I’m sorry to hear that OIDC still does not work for you!
I have reviewed the logs you provided once again, it seems like there are two
unauthorized URI :
The authorized URI in your
reader role configuration are :
I’m not sure what are the
Valid Redirect URIs in your Keycloak server for the Vault client!
You can see that the hostnames and ports do not match so Vault OIDC and Keycloak consider this request as
forged request or
unauthorized i shall say.
The configuration for URI must align between Vault and the OIDC provider.
The URI should be allowed for the Vault client inside the Keycloak server, I have attached a screenshot of my Keycloak server config for Vault client, in my case Vault and Keycloak both run on my local machine.
In my screenshot you can see :
^ This link is used for login in UI
^ This link is used when you do
vault login -method=oidc.
If you use different ports and namespaces, they should also be taken into consideration when specifying URIs.
After you align the URIs for Vault and Keycloak, if you still have issues, would you provide me with the following info :
- Your Keycloak config for Vault client.
- Config for the OIDC method, usually
vault read auth/oidc/config
- The link that you are provided when you do
vault login -method=oidc