OIDC CLI login redirecting to localhost (with Azure AD)

Hi Everyone,

When logging in using the OIDC auth method, I’m unable to authenticate and receive a callback/redirect to localhost. When I run the command to login via oidc vault login -method=oidc role=default I receive the " Complete the login via your OIDC provider. Launching browser to: " following the provided link they authenticate to Azure AD, and redirected back to localhost.

Azure AD Callback urls:

http://localhost:8200/oidc/callback
https://<vault ip>:8200/oidc/callback
https://<vault ip>:8200/ui/vault/auth/oidc/oidc/callback

Command issue to login:

[vault@host~]$ vault login -method="oidc" role="reader" port=8200
Complete the login via your OIDC provider. Launching browser to:

https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize?client_id=<client id>&nonce=*&redirect_uri=http%3A%2F%2Flocalhost%3A8200%2Foidc%2Fcallback&response_type=code&scope=openid&state=*

Anyone please help me!!

Did you set allowed_redirect_uris on your Vault OIDC role to the same set you applied in Azure AD? If those aren’t set/set correctly then the auth flow will not complete.

Yes… the redirect uri is same for both Azure AD and vault config

OK, good.

Did you follow all the instructions from the OIDC Providers page?

One thing I noticed in the truncated URL you provided is that the https://graph.microsoft.com/.default string isn’t present (see Step 5 in connecting an external group). I’m not sure if that’s needed if you aren’t explicitly using Vault’s Identity Groups (we use them and this setup is working fine for us).

The permissions needed for the integration on the Azure side appear to be as follows:

  • GroupMember.Read.All
  • User.Read
  • profile

The docs indicate to include Directory.Read.All but we’ve found that isn’t necessary.

Hopefully this helps.

Does authentication complete when using the Vault GUI?

Thanks for responding.

I’m not able to authenticate on Vault GUI. It is not proceeding further. From the cmd line atleast it is giving me the sign in option as below:

https://login.microsoftonline.com/fbc82b/oauth2/v2.0/authorize?client_id=d8fd&nonce=n_ME2xYa&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default&state=st_**

oidc_client_secret is the secret id or the value? (under Azure AD Certificates and secrets)

I’m providing the value as value of secret id . Can you please confirm whether I’m correct?

In my config I provide oidc_discovery_url, oidc_client_id, and oidc_client_secret.

oidc_discovery_url - should be https://login.microsoftonline.com/<tenant_GUID>/v2.0
oidc_client_id is the registration id - it’s formatted as a GUID (apologies, I don’t have the Azure terms readily available)
oidc_client_secret is the secret - should just appear to be a random string, looks like it may be base64 encoded

yes, I provided the same.

And this is the error after I’m redirected to localhost:

AADSTS650053: The application 'Test' asked for scope '.default,profile,email' that doesn't exist on the resource '00000003-*****'. Contact the app vendor.