I just installed my vault and set up azure as oidc authentication method.
Now I always geht the following error, no matter of trying to login via CLI or UI:
vault login -method=oidc role=aad
Complete the login via your OIDC provider. Launching browser to:
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&code_challenge=5goj...OnY8&code_challenge_method=S256&nonce=n_mm...Wn&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default&state=st_Ucv...WJQ
Waiting for OIDC authentication to complete...
Error authenticating: Error making API request.
URL: GET https://SUBDOMAIN.DOMAIN.TLD:8200/v1/auth/oidc/oidc/callback?client_nonce=4X7...kO&code=0.ASEA...1HOCVM&id_token=&state=st_Ucv...WJQ
Code: 400. Errors:
* Vault login failed. Error exchanging oidc code: "Provider.Exchange: id_token failed verification: Provider.VerifyIDToken: invalid id_token: failed to verify signature: failed to verify id token signature: invalid signature".
→ login at microsoft with MFA is successfull
my configurations:
vault read auth/oidc/config
Key Value
--- -----
bound_issuer n/a
default_role aad
jwks_ca_pem n/a
jwks_url n/a
jwt_supported_algs []
jwt_validation_pubkeys []
namespace_in_state false
oidc_client_id <CLIENT_ID>
oidc_discovery_ca_pem n/a
oidc_discovery_url https://login.microsoftonline.com/<TENANT_ID>/v2.0
oidc_response_mode n/a
oidc_response_types []
provider_config map[provider:azure]
vault read auth/oidc/role/aad
Key Value
--- -----
allowed_redirect_uris [http://localhost:8250/oidc/callback https:/SUBDOMAIN.DOMAIN.TLD:8200/ui/vault/auth/oidc/oidc/callback]
bound_audiences <nil>
bound_claims <nil>
bound_claims_type string
bound_subject n/a
claim_mappings <nil>
clock_skew_leeway 0
expiration_leeway 0
groups_claim groups
max_age 0
not_before_leeway 0
oidc_scopes [https://graph.microsoft.com/.default]
policies [default oidc]
role_type oidc
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [default oidc]
token_ttl 0s
token_type default
user_claim email
user_claim_json_pointer false
verbose_oidc_logging true
Any suggestions on this?