Error Authenticating: Unable to authorize role OIDC

Hi,

I am trying to use KeyCloak as an external identity provider. Following the instructions:


I complete step 3 and then attempt to login:

vault login -method=oidc role=reader

Error authenticating: Unable to authorize role “reader”. Check Vault logs for more information.

The logs directory is empty. When I try to login through the browser, the re-direct button does not appear.

Hello,

Would you set the verbose_oidc_logging parameter to the reader role and share the Vault operation logs ?

Martin

Hi Martin,

Sorry for the late reply.

I have sanitised the operational logs here. The first block is a login attempt. The second block is the audit from the command:

vault write auth/oidc/role/reader \
bound_audiences="Vault-Client" \
allowed_redirect_uris="https://vault-test-container:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault-test-container:8250/oidc/callback" \
user_claim="sub" \
verbose_oidc_logging=true \
policies="min"

The min policy is defined:

  path "/identity/*" {
       capabilities = ["read", "list"]
  }

Thank you.

Hello,

Thank you for enabling the required parameter. I have reviewed the logs you provided, those logs are audit logs, which carry information about the actual request and reply to and from the Vault client.
To get more in depth information about the issue i would need to take a look at the operation logs of Vault, those logs are usually managed by SystemD, this article would probably be helpful getting the operational logs.

Martin

Hi Martin,

Thank you for the link for finding the logs and again sorry for the delay.

Today’s operational logs are here. I made several attempts to create the role and login via the oidc method neither of which appear to be recorded in the logs.

I am using Vault 1.4.1 in a container on my local workstation.

Thank you.

Hello,

Thank you for providing me with logs, i have reviewed them and it looks that the redirect_uri that is requested upon login is not valid one for the reader role according to your configuration. Here is the log entry made an impression :

2020-07-13T08:11:31.400Z [WARN]  auth.oidc.auth_oidc_62112443: unauthorized redirect_uri: redirect_uri=http://localhost:8250/oidc/callback

I would recommend adding the needed allowed URI to the allowed_redirect_uris of the reader roles, also you should keep in mind that the allowed_redirect_uris parameter’s value should match in OIDC provider’s configs used for Vault OIDC client.

Here a good explanation of how the redirect URI work and how to set it up.

Let me know if you got any further questions!

Martin

Hi Martin,

I have read the documentation provided. Unfortunately I can not see anywhere it suggests I should form the allowed_redirect_uris differently. I have added a customer docker network to take advantage of its container look up features but that hasn’t helped either.

When I try to connect via the ui the redirect button doesn’t appear. If I click login (leaving the role and jwt fields empty) I get the following error:

Error

Authentication failed: role with oidc role_type is not allowed

Initially I thought this was because I had not included credentials.

I have also tried with only CLI allowed_redirect_uris set with the same result which is not a surprise when it comes to the ui.

I am continuing down the allowed_redirect_uris route but am adding these details in case something jumps out at you?

# vault read auth/oidc/role/reader
Key                        Value
---                        -----
allowed_redirect_uris      [https://vault-test-container:8250/oidc/callback https://vault-test-container:8200/ui/vault/auth/oidc/oidc/callback]
bound_audiences            [Vault-Client]
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               n/a
not_before_leeway          0
oidc_scopes                <nil>
policies                   [min]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [min]
token_ttl                  0s
token_type                 default
user_claim                 sub
verbose_oidc_logging       true

Thank you.

Hi Martin,

Another piece of information that turns out to be relevant is that my https connection is secured by a self-signed cert. My browser is able to hit the Vault container url, I can login with the root token.

When I try to hit the allowed_redirect_uris with wget:

# wget -S https://vault-test-container:8250/oidc/callback
Connecting to vault-test-container:8250 ([CONTAINER-IP]:8250)
wget: can't connect to remote host ([CONTAINER-IP]): Connection refused

Then when I try the same for UI:

wget -S https://vault-test-container:8200/ui/vault/auth/oidc/oidc/callback
Connecting to vault-test-container:8200 ([CONTAINER-IP]:8200)
ssl_client: vault-test-container: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peer

I can run openssl s_client -connect https://vault-test-container:8201 -servername vault-test-container on my localhost and that gives the expected output for a tls connection. However, trying the same allowed_redirect_uris cli port all I get is:

$ openssl s_client -connect vault-test-container:8250 -servername vault-test-container
socket: Bad file descriptor
connect:errno=9

The Vault configuration for tls is:
"tls_cert_file": "/home/vault/vault-test.com.cert.pem",
"tls_key_file": "/home/vault/vault-test.com.key.pem",
"tls_client_ca_file": "/home/vault/ca-chain.cert.pem",
"tls_min_version": "tls12"

Any suggestion of next steps would be great?

Hello,

I’m sorry to hear that OIDC still does not work for you!

I have reviewed the logs you provided once again, it seems like there are two unauthorized URI :

http://localhost:8250/oidc/callback
https://vault-test-conainer:8201/ui/vault/auth/oidc/oidc/callback

The authorized URI in your reader role configuration are :

https://vault-test-container:8250/oidc/callback 
https://vault-test-container:8200/ui/vault/auth/oidc/oidc/callback

I’m not sure what are the Valid Redirect URIs in your Keycloak server for the Vault client!

You can see that the hostnames and ports do not match so Vault OIDC and Keycloak consider this request as forged request or unauthorized i shall say.

The configuration for URI must align between Vault and the OIDC provider.
The URI should be allowed for the Vault client inside the Keycloak server, I have attached a screenshot of my Keycloak server config for Vault client, in my case Vault and Keycloak both run on my local machine.

In my screenshot you can see :

http://localhost:8200/ui/vault/auth/oidc/oidc/callback/*

^ This link is used for login in UI

http://localhost:8250/oidc/callback

^ This link is used when you do vault login -method=oidc.

If you use different ports and namespaces, they should also be taken into consideration when specifying URIs.

After you align the URIs for Vault and Keycloak, if you still have issues, would you provide me with the following info :

  • Your Keycloak config for Vault client.
  • Config for the OIDC method, usually vault read auth/oidc/config
  • The link that you are provided when you do vault login -method=oidc

Kind regards,
Martin

Hi Martin,

I can explain the change in port number. Over the course of experimentation my attempts have included both the local Vault port and the listener port as I use to connect the browser. Port 8200 is already in use on my Workstation by a service called Skylight.

Otherwise I have always endeavoured to ensure alignment between the Vault role allowed_redirect_uris and the KeyCloak Valid Redirect URIs. As above I now believe that the fault lies somewhere in the land of ssl/tls, I can not exclude the possibility of another error. I have included the requested details below.

vault write auth/oidc/role/reader \
bound_audiences="Vault-Client" \
allowed_redirect_uris="https://vault-test-container:8250/oidc/callback" \
allowed_redirect_uris="https://vault-test-container:8200/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \
verbose_oidc_logging=true \
policies="min"


vault write auth/oidc/config \
oidc_discovery_url="http://KeyCloak:8080/auth/realms/Vault-Test-Realm" \
oidc_client_id="Vault-Client" \
oidc_client_secret="[KeyCloak-Secret]" \
default_role="reader"

# vault read auth/oidc/config
Key                       Value
---                       -----
bound_issuer              n/a
default_role              reader
jwks_ca_pem               n/a
jwks_url                  n/a
jwt_supported_algs        []
jwt_validation_pubkeys    []
oidc_client_id            Vault-Client
oidc_discovery_ca_pem     n/a
oidc_discovery_url        http://KeyCloak:8080/auth/realms/Vault-Test-Realm
oidc_response_mode        n/a
oidc_response_types       []

# vault login -method=oidc
Error authenticating: Unable to authorize role "". Check Vault logs for more information.

Thank you for your continued support on this issue.

Hello,

The error that you see is a really general error that does not provide much information. If you would like I can jump into a Zoom call to actively troubleshoot this.

You can contact me via PM

Hi Martin,

Again thank you, this now resolved.

To give an overview of the problem both Vault and KeyCloak are running in Docker containers.

The first issue came about because although Vault and KeyCloak share the same network they are both being addressed from the docker host. Vault has had it’s primary port mapped to 8201.

The bound_audiences="Vault-Client" \ line was removed from the role and four allow_redirect_uris were added to both the Vault role and the KeyCloak Client configuration.

allowed_redirect_uris="https://Vault-Test-Container:8250/oidc/callback" \
allowed_redirect_uris="https://Vault-Test-Container:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
allowed_redirect_uris="https://vault-test-container:8250/oidc/callback" \
allowed_redirect_uris="https://localhost:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback" \

This list was then narrowed to the following:

allowed_redirect_uris="https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \

Note specifically the lack of capitalisation of the container name in the URL.
The CLI allowed_redirect_uris addresses the localhost but without tls/ssl.

To view the Vault container logs docker logs vault-test-container you can add the flag -f after logs to follow the log.

A sample of the relevant part of the log file appeared as:

2020-07-10T14:13:58.766Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=http://localhost:8250/oidc/callback
2020-07-10T14:17:48.024Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=http://localhost:8250/oidc/callback
2020-07-10T14:18:04.349Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:04.858Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:07.754Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:15.042Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:17.179Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:37:00.038Z [WARN]  auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback

In connection with this the KeyCloak container had been started on port 8070. This container was removed and re-run on the port 8080. The realm and client were both recreated from scratch.

Thanks again to Martin.

1 Like