OIDC authentication with Google Workspace - cannot get it to work

New to Vault
Not so new to OIDC and Google Workspace

Following steps here:

OIDC config looks OK. See attachment.

But when I got the Vault Web UI and select OIDC with/without gmail role, and click sign in with OIDC provider, I get “Missing auth_url. Please check that allowed_redirect_uris for the role include this mount path.”. Also see attachment.

What am I missing?

Cant seem to find a way to ATTACH, so OIDC config in text here

(base) [ptolani@Pankajs-MacBook-Pro-Work ~ ]$ vault read auth/oidc/config
Key Value

bound_issuer n/a
default_role gmail
jwks_ca_pem n/a
jwks_url n/a
namespace_in_state true
oidc_client_id REDACTED
oidc_discovery_ca_pem n/a
oidc_discovery_url https://accounts.google.com
oidc_response_mode n/a
provider_config map
(base) [ptolani@Pankajs-MacBook-Pro-Work ~ ]$ vault read auth/oidc/role/gmail
Key Value

allowed_redirect_uris [https://REDACTED/ui/vault/auth/oidc/oidc/callback]
bound_audiences [REDACTED]
bound_claims_type string
bound_subject n/a
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
max_age 0
not_before_leeway 0
policies [reader]
role_type oidc
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [reader]
token_ttl 1h
token_type default
ttl 1h
user_claim sub
user_claim_json_pointer false
verbose_oidc_logging false

also running “vault auth tune -listing-visibility=unauth oidc” still results in the same “Missing auth_url” error.

also authorised redirect uri on Client ID for Web application on GCP side matches allowed_redirect_uris on OIDC config.

what i am not clear is now does the GCP config allow to query Google Workspace? My user in GCP (account in Google) would not have the permissions to do that!

Issue worked around. Was easy.

For HCP, Launch UI uses hashicorp.com DNS name and Public IP button uses hashicorp.cloud DNS name. With this, OIDC with Google Workspace steps do not work OOTB.

So click the Launch UI button and replace the host name from that from Public IP.

@pankajmt thanks for bringing this up. I’ve shared with the PM for the HCP Vault team to see if this was intentional or not. I’ve always used the URL from the private/public address so never noticed the difference in the URL from the launch UI button.

Hi @pankajmt ,

Also, you should be able to provide multiple redirect_uris. This tutorial, while focused on Okta, shows you an example:

yeah, for a newbie to this, the steps dont work out of the box because of the mismatch!

thanks for channeling this!