OIDC Auth attempts via UI, using the same credentials, is generating different errors depending on whos testing

Hey gang, We’ve been trying to get the OIDC auth stood up for a bit and we’ve had a few problems. The main issue right now is that when we try to test the OIDC method via the UI, different people are generating different errors.

So - each of us can go to the UI and select OIDC, and the “demo” role. User A will generate the “Invalid role. Please try again.” error for their first attempt and “Missing auth_url. Please check that allowed_redirect_uris for the role include this mount path.” for subsequent attempts.

User B will return “The callback from the provider did not supply all of the required parameters. Please click Sign In to try again. If the problem persists, you may want to contact your administrator.”

And User C will return “invalid_client: Account temporarily locked because number of failed logins was exceeded or max number of invalid tokens was attempted to be revoked”

Thoughts or suggestions?

OIDC is indeed hard, and it’s very hard to find useful documentation.

However, the info you’ve provided so far is only anecdotes of weird surface behaviour - it doesn’t really point to anything actionable.

If you’re looking for effective help, you’ll need to share as many concrete details as you can - exact copy/pastes of exactly how you’ve configured your Vault.

As a couple of starting points, I can offer this:

1) Unless you have an extremely unusual use-case, you only want to have exactly one Vault OIDC role defined (I suggest calling it default) and you should set it as the default so users don’t need to enter the role name.

2) Here is an example configuration I used to get a basic Google OIDC setup running in a test Vault instance:

vault auth enable oidc
vault auth tune -listing-visibility=unauth oidc

vault write auth/oidc/config \
  oidc_discovery_url=https://accounts.google.com \
  oidc_client_id=REDACTED \
  oidc_client_secret=REDACTED \

vault write auth/oidc/role/default \
  user_claim=sub \
  oidc_scopes=email,profile \
  allowed_redirect_uris=https://REDACTED/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback \

Thanks for the feedback.

working with our PING folks we made a few changes. 1) Changed our client auth from none to secret and our allowed grant types from authorization code to client credentials. Now we all are generating the same “The callback from the provider did not supply all of the required parameters.” error…

I think from here we’ll try to re-check our parameters and validate what our provider is sending back.

fingers crossed

Sorry to say, but it sounds like you may have just broken it further… This bit:

is very definitely not correct for the Vault use case