OIDC Login Error

I’m attempting to login to Waypoint using Vault as an OIDC provider (this is in Tech Preview for Vault). I’ve configured the auth method to the point where the Vault OIDC login page pops up and I successfully login with a Vault token configured for my identity entity alias in Vault. This identity entity is a member of a group which has been added to the assignment configured for Waypoint’s client in the OIDC provider. At this point I’m stuck at a redirect URI mismatch prompt after logging in to Vault. Any help with this would be appreciated; I’d really like to move my team over to OIDC auth over the token system!


waypoint login -auth-method=vault -vvv

During the login process, this is what is logged when I am taken to the Vault login page:

2021-12-23T18:22:30.153-0500 [TRACE] waypoint: requesting version info from server
2021-12-23T18:22:30.211-0500 [INFO]  waypoint: server version info: version=v0.6.2 api_min=1 api_current=1 entrypoint_min=1 entrypoint_current=1
2021-12-23T18:22:30.211-0500 [INFO]  waypoint: negotiated api version: version=1
2021-12-23T18:22:30.211-0500 [INFO]  waypoint: login method: method=OIDC
Complete the authentication by visiting your authentication provider.
Opening your browser window now. If the browser window does not launch,
please visit the URL below:


Vault login page, after successfully authenticating:
Screen Shot 2021-12-23 at 7.15.49 PM

Additionally, the client has been configured with the redirect URIs mentioned in the documentation. I think what the problem potentially could be is that the redirect URI (mentioned above from the CLI logs) is not literally, but rather it contains a random port value after localhost. From my limited experience with OIDC, from what I can gather the allowed redirect URIs must contain an exact match for the redirect.

vault read identity/oidc/client/waypoint                    
Key                 Value
---                 -----
access_token_ttl    2h
assignments         [my-assignment]
client_id           my-client-id
client_secret       my-client-secret
id_token_ttl        1h
key                 wp-key
redirect_uris       [ https://waypoint-ui.service.dc1.consul:9702/oidc/callback]

Here’s what my auth-method settings are:

waypoint auth-method inspect vault
name: "vault"
display_name: "vault"
oidc: <
  client_id: "my-client-id"
  client_secret: "[REDACTED: client secret]"
  discovery_url: "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-oidc-provider"
  discovery_ca_pem: "----MY_CERT_FOR_VAULT-----"

And the configuration of my OIDC provider in Vault is below:

  "issuer": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider",
  "jwks_uri": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider/.well-known/keys",
  "authorization_endpoint": "https://vault.service.dc1.consul:8200/ui/vault/identity/oidc/provider/vault-provider/authorize",
  "token_endpoint": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider/token",
  "userinfo_endpoint": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider/userinfo",
  "request_uri_parameter_supported": false,
  "id_token_signing_alg_values_supported": [
  "response_types_supported": [
  "scopes_supported": [
  "subject_types_supported": [
  "grant_types_supported": [
  "token_endpoint_auth_methods_supported": [

Barring a configuration I could have missed on my end, I think that this is an issue where Vault’s OIDC provider does not allow any port to be used for the loopback interface. I have opened this issue for tracking it.

Update here! Vault 1.9.4 was released last week. This release contained the bug fix mentioned in my last post (PR) below. After this was addressed, I was able to use Vault as the OIDC provider for Waypoint and login! :smiley: Along with the fancy features of limiting access to that of only one group I created in Vault for admins of Waypoint.

1 Like