Hi Martin,
Again thank you, this now resolved.
To give an overview of the problem both Vault and KeyCloak are running in Docker containers.
The first issue came about because although Vault and KeyCloak share the same network they are both being addressed from the docker host. Vault has had it’s primary port mapped to 8201.
The bound_audiences="Vault-Client" \ line was removed from the role and four allow_redirect_uris were added to both the Vault role and the KeyCloak Client configuration.
allowed_redirect_uris="https://Vault-Test-Container:8250/oidc/callback" \
allowed_redirect_uris="https://Vault-Test-Container:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
allowed_redirect_uris="https://vault-test-container:8250/oidc/callback" \
allowed_redirect_uris="https://localhost:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback" \
This list was then narrowed to the following:
allowed_redirect_uris="https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
Note specifically the lack of capitalisation of the container name in the URL.
The CLI allowed_redirect_uris addresses the localhost but without tls/ssl.
To view the Vault container logs docker logs vault-test-container you can add the flag -f after logs to follow the log.
A sample of the relevant part of the log file appeared as:
2020-07-10T14:13:58.766Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=http://localhost:8250/oidc/callback
2020-07-10T14:17:48.024Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=http://localhost:8250/oidc/callback
2020-07-10T14:18:04.349Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:04.858Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:07.754Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:15.042Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:18:17.179Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
2020-07-10T14:37:00.038Z [WARN] auth.oidc.auth_oidc_[TOKEN]: unauthorized redirect_uri: redirect_uri=https://vault-test-container:8201/ui/vault/auth/oidc/oidc/callback
In connection with this the KeyCloak container had been started on port 8070. This container was removed and re-run on the port 8080. The realm and client were both recreated from scratch.
Thanks again to Martin.