Sure!
Note that my oidc_scopes has profile and email as well.
This is my role named oidc in my test environment:
vault read auth/oidc/role/oidc
Key Value
--- -----
allowed_redirect_uris [https://vault-server:8200/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback]
bound_audiences <nil>
bound_claims <nil>
bound_claims_type string
bound_subject n/a
claim_mappings <nil>
clock_skew_leeway 0
expiration_leeway 0
groups_claim roles
not_before_leeway 0
oidc_scopes [https://graph.microsoft.com/.default profile email]
policies [default]
role_type oidc
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [default]
token_ttl 0s
token_type default
user_claim email
verbose_oidc_logging false
Created with:
vault write auth/oidc/role/oidc user_claim="email" \
allowed_redirect_uris="https://vault-server:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
groups_claim="roles" \
policies=default \
oidc_scopes="https://graph.microsoft.com/.default,profile,email"
This is my oidc auth backend configuration. It uses the role above (oidc) as default:
vault read auth/oidc/config
Key Value
--- -----
bound_issuer n/a
default_role oidc
jwks_ca_pem n/a
jwks_url n/a
jwt_supported_algs []
jwt_validation_pubkeys []
oidc_client_id 12345678-5cJA-44dd-2222-111111111111
oidc_discovery_ca_pem n/a
oidc_discovery_url https://login.microsoftonline.com/XXXXXXXX/v2.0
oidc_response_mode n/a
oidc_response_types []
Created with:
vault write auth/oidc/config \
oidc_client_id="your_client_id" \
oidc_client_secret="your_client_secret" \
default_role=“oidc” \
oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0”
Then I’ve created the groups and alias via UI. The alias of the type of configured OIDC, named exactly the same as the Azure AD role. If my user doesn’t have any role in that app I get a similar message like yours.
I hope it helps.