Hashicorp Vault + Keycloack

I have hosted Vault and Keycloak on my AWS ubuntu 22.04 instance and they are running on public IP, as this is just for testing I do not need a domain.

Issue: when I add OIDC discovery url of keycloak in vault: HTTP://some-ip:8180/realm/name

it says error, what could be the issue I am not sure what I have done wrong. I also cannot find any help on the internet as well.

Remove the auth part in the URL

Long story:
To find the OIDC discovery URL:

  • Open the KC admin console in the browser and select the realm you’re using with Vault
  • On the left menu select Realm Settings --> General
  • At the bottom of the General section find Endpoints --> OpenID Endpoint Configuration ling
  • Copy the link (i.e. by right clicking it)
  • Paste the link in the Vault configuration field. If you’re using MyVaultRealm as your realm name, the URL should be something like this::

As stated in the Vault help for the The OIDC discovery URL field:
The OIDC discovery URL, without any .well-known component (base path). Cannot be used with jwt_validation_pubkeys

so you must delete the /.well-known/openid-configuration part on the right.

leaving something like this:

with no trailing slash.

The /auth part was removed with the Quarkus version (>= 17) but you can add it back if you need it for backward compatibility. See this discussion here:

Thanks, It worked but now I am facing the same issue with Keycloak version 22. It throws the same error without /auth or with /auth. I am not sure whether many people have tried integrating it with 22 version Keycloak and Vault. If you have tried and know something do guide, Thanks.

Ref: Removing Hashicorp Support · keycloak/keycloak · Discussion #16446 · GitHub

I’m using Keycloak 22.0.1 with Vault 1.14.1 and I do not see that problem, users authenticate on KC and get their SSH signed certificate from Vault.

Maybe some configuration issue? I had to struggle a bit to get the Vault OIDC login running the first time…

I managed to setup it but stuck in login process as it throws this error, maybe some groups or user issue in keycloack

Looks like there’s a problem in the OIDC flow configuration: KC is returning a token for an audience (aud) unrecognized by Vault.

It’s difficult to say what could be wrong without seeing the whole configuration, there are many parameters involved. I’d suggest to check all the steps from the beginning, with particular attention to the OIDC flow parameters.

On Vault:

- OIDC discovery URL
- OIDC client ID
- OIDC client secret (this one must be copied back from KC)

On Keycloak

- General Settings --> Client ID
- Access settings --> check all te URLs and URIs
- Capability config --> Client authentication ON
- Capability config --> Authorization ON (if needed)
- Capability config --> Authentication flow: Standard Flow

It’d greately help to check the token (JWT) returned by KC after the login attempt, you can use Postman or the vault login -method=oidc CLI command in a terminal.

To enable the CLI login you need to add this URI to Keycloak:

under the Access settings tab in the OIDC Client parameters:

Thanks @admin4 sorry for the delayed response I will revert back today itself doing this.