New to Vault
Not so new to OIDC and Google Workspace
Following steps here:
OIDC config looks OK. See attachment.
But when I got the Vault Web UI and select OIDC with/without gmail role, and click sign in with OIDC provider, I get “Missing auth_url. Please check that allowed_redirect_uris for the role include this mount path.”. Also see attachment.
What am I missing?
Cant seem to find a way to ATTACH, so OIDC config in text here
(base) [ptolani@Pankajs-MacBook-Pro-Work ~ ]$ vault read auth/oidc/config
(base) [ptolani@Pankajs-MacBook-Pro-Work ~ ]$ vault read auth/oidc/role/gmail
also running “vault auth tune -listing-visibility=unauth oidc” still results in the same “Missing auth_url” error.
also authorised redirect uri on Client ID for Web application on GCP side matches allowed_redirect_uris on OIDC config.
what i am not clear is now does the GCP config allow to query Google Workspace? My user in GCP (account in Google) would not have the permissions to do that!
Issue worked around. Was easy.
For HCP, Launch UI uses hashicorp.com DNS name and Public IP button uses hashicorp.cloud DNS name. With this, OIDC with Google Workspace steps do not work OOTB.
So click the Launch UI button and replace the host name from that from Public IP.
@pankajmt thanks for bringing this up. I’ve shared with the PM for the HCP Vault team to see if this was intentional or not. I’ve always used the URL from the private/public address so never noticed the difference in the URL from the launch UI button.
Hi @pankajmt ,
Also, you should be able to provide multiple redirect_uris. This tutorial, while focused on Okta, shows you an example:
yeah, for a newbie to this, the steps dont work out of the box because of the mismatch!
thanks for channeling this!