OIDC configuration with Azure AD (Entra)

cc1 · February 12, 2024, 4:07pm

I just installed my vault and set up azure as oidc authentication method.
Now I always geht the following error, no matter of trying to login via CLI or UI:

vault login -method=oidc role=aad
Complete the login via your OIDC provider. Launching browser to:

    https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&code_challenge=5goj...OnY8&code_challenge_method=S256&nonce=n_mm...Wn&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default&state=st_Ucv...WJQ


Waiting for OIDC authentication to complete...
Error authenticating: Error making API request.

URL: GET https://SUBDOMAIN.DOMAIN.TLD:8200/v1/auth/oidc/oidc/callback?client_nonce=4X7...kO&code=0.ASEA...1HOCVM&id_token=&state=st_Ucv...WJQ
Code: 400. Errors:

* Vault login failed. Error exchanging oidc code: "Provider.Exchange: id_token failed verification: Provider.VerifyIDToken: invalid id_token: failed to verify signature: failed to verify id token signature: invalid signature".

→ login at microsoft with MFA is successfull

my configurations:

vault read auth/oidc/config      
Key                       Value
---                       -----
bound_issuer              n/a
default_role              aad
jwks_ca_pem               n/a
jwks_url                  n/a
jwt_supported_algs        []
jwt_validation_pubkeys    []
namespace_in_state        false
oidc_client_id            <CLIENT_ID>
oidc_discovery_ca_pem     n/a
oidc_discovery_url        https://login.microsoftonline.com/<TENANT_ID>/v2.0
oidc_response_mode        n/a
oidc_response_types       []
provider_config           map[provider:azure]

vault read auth/oidc/role/aad
Key                        Value
---                        -----
allowed_redirect_uris      [http://localhost:8250/oidc/callback https:/SUBDOMAIN.DOMAIN.TLD:8200/ui/vault/auth/oidc/oidc/callback]
bound_audiences            <nil>
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               groups
max_age                    0
not_before_leeway          0
oidc_scopes                [https://graph.microsoft.com/.default]
policies                   [default oidc]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default oidc]
token_ttl                  0s
token_type                 default
user_claim                 email
user_claim_json_pointer    false
verbose_oidc_logging       true

Any suggestions on this?

jonathanfrappier · February 16, 2024, 2:24pm

From the Vault config, the only thing that jumps out (and could be a copy/pasted/clean up thing) is I don’t see any user claims.

Outside of that, not sure what your Azure AD setup is. Have you tried following this tutorial?

cc1 · February 21, 2024, 2:26pm

I tried to set the azure ad setup manually by GUI, didn´t work. Now I just installed the AD-CLI and set it up as described in Documentation, and see: it Worked…

jonathanfrappier · February 26, 2024, 1:41pm

Glad to hear you got it working!