OIDC cli logon on jumphost?

I’m setting up OIDC for Azure AD in vault.
All users would login to vault with Azure AD credentials on a jumphost withou any gui browser.
Vault is installed on another server.

Is the only way to complete the login to use a graphical browser on the same server as where the cli runs from? Is it not possible to use curl or so in another session?

Reading up on github issues, it seems, curl won’t work.
Could I use some lightweight gui browser and force everyone to use x forwarding over ssh perhaps as an option?

Hello,

I think when you try to login via OIDC, Vault prints a link that you can use.

What happens if you copy/paste this link to your local browser?

This is just a guess, so I’m not sure if it is going to work.

Martin

Yes the web browser does not have to be on the same machine as the cli. The problem however is that the current implementation requires a callback to the cli process itself, which can be quite difficult to manage in many circumstances. I have a pull request pending to allow directing the callback to vault itself, which is generally a lot easier to manage.

Dave

Curl doesn’t really work because you are directed do your OIDC providers login, such as azure with their login fancy prompts and lynx/links etc doesn’t handle the javascripts.

Anyway, after you have run vault login -method=oidc role=myrole the vault cli client starts a listener and waits for the browser to call back.

I tried many browsers but most are horribly slow over ssh forwarding, but I finally found uzbl which can’t handle the vault web ui at all…BUT it can process the azure login page…yay

At least with uzbl, it only takes around 20s for the browser to start, compared to chromium and firefox with 2mins + who was also was extremely slow and didn’t because usable until a while after it had launched.

This is totally usable. Had to set export BROWSER=uzbl-core to make sure it started the correct browser.

I really hope @DrDaveD way gets accepted, it would be the sane way to go