I have hosted Vault and Keycloak on my AWS ubuntu 22.04 instance and they are running on public IP, as this is just for testing I do not need a domain.
Issue: when I add OIDC discovery url of keycloak in vault: HTTP://some-ip:8180/realm/name
it says error, what could be the issue I am not sure what I have done wrong. I also cannot find any help on the internet as well.
;tldr
Remove the auth part in the URL
Long story:
To find the OIDC discovery URL:
Realm Settings --> GeneralEndpoints --> OpenID Endpoint Configuration lingMyVaultRealm as your realm name, the URL should be something like this::Your_domain_name/realms/MyVaultRealm/.well-known/openid-configurationAs stated in the Vault help for the The OIDC discovery URL field:
The OIDC discovery URL, without any .well-known component (base path). Cannot be used with jwt_validation_pubkeys
so you must delete the /.well-known/openid-configuration part on the right.
leaving something like this:
https://Your_domain_name/realms/MyVaultRealm
with no trailing slash.
The /auth part was removed with the Quarkus version (>= 17) but you can add it back if you need it for backward compatibility. See this discussion here:
Thanks, It worked but now I am facing the same issue with Keycloak version 22. It throws the same error without /auth or with /auth. I am not sure whether many people have tried integrating it with 22 version Keycloak and Vault. If you have tried and know something do guide, Thanks.
Ref: Removing Hashicorp Support · keycloak/keycloak · Discussion #16446 · GitHub
I’m using Keycloak 22.0.1 with Vault 1.14.1 and I do not see that problem, users authenticate on KC and get their SSH signed certificate from Vault.
Maybe some configuration issue? I had to struggle a bit to get the Vault OIDC login running the first time…
I managed to setup it but stuck in login process as it throws this error, maybe some groups or user issue in keycloack
Looks like there’s a problem in the OIDC flow configuration: KC is returning a token for an audience (aud) unrecognized by Vault.
It’s difficult to say what could be wrong without seeing the whole configuration, there are many parameters involved. I’d suggest to check all the steps from the beginning, with particular attention to the OIDC flow parameters.
On Vault:
- OIDC discovery URL
- OIDC client ID
- OIDC client secret (this one must be copied back from KC)
On Keycloak
- General Settings --> Client ID
- Access settings --> check all te URLs and URIs
- Capability config --> Client authentication ON
- Capability config --> Authorization ON (if needed)
- Capability config --> Authentication flow: Standard Flow
It’d greately help to check the token (JWT) returned by KC after the login attempt, you can use Postman or the vault login -method=oidc CLI command in a terminal.
To enable the CLI login you need to add this URI to Keycloak:
http://localhost:8250/oidc/callback
under the Access settings tab in the OIDC Client parameters:
Thanks @admin4 sorry for the delayed response I will revert back today itself doing this.
