HTTP API: Error 400 for LIST auth/okta/users

I’m building some Vault functionality into my company’s developer CLI via the Vault API. I’ve been able to invoke a bunch of other endpoints just fine, but I’m running into a problem with trying to list users. The request looks like this:

LIST https://<host>/v1/auth/okta/users
X-Vault-Token: <token>

and the response:

HTTP 400: Bad Request
Content-Length: 11
Content-Type: text/plain
Date: Tue, 05 Apr 2022 15:50:22 GMT
Connection: close

Bad Request

The documentation for this endpoint seems to indicate that no parameters are required, and the path looks correct, so I don’t understand why I’m getting this error. This documentation indicates that I’m supposed to be getting an application/json response with one or more errors in the response body if there’s a problem, but that’s not happening, either.

That “Bad Request” response in text/plain doesn’t look much like something I’d expect to see from Vault.

Do you have some network appliance between Vault and your client which is interfering?

LIST is not a standard HTTP method. Try using the GET compatibility version of the request instead:

GET https://<host>/v1/auth/okta/users?list=true
X-Vault-Token: <token>

Best way to find the proper curl version of a command is to use the Vault binary:

$ vault list -output-curl-string auth/okta/users
curl -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" https://vault:8200/v1/auth/okta/users?list=true

Thank you, that was what I needed. I knew that LIST wasn’t a standard HTTP method, but the HTTP standard doesn’t forbid custom verbs, and the documentation very clearly stated to use LIST. I don’t understand why the documentation says to use LIST when the API doesn’t accept it. The part I was missing was the ?list=true query parameter.

The Vault API accepts LIST just fine. You must have a load balancer or web application firewall that is blocking it, between you and the actual Vault process.

LIST is a valid method for Vault but for Vault only. Most ALBs don’t pass these along so you need to limit your request to standards only.

Vault exposes both LIST and “&list” (it was patched in very early on).