I’m attempting to login to Waypoint using Vault as an OIDC provider (this is in Tech Preview for Vault). I’ve configured the auth method to the point where the Vault OIDC login page pops up and I successfully login with a Vault token configured for my identity entity alias in Vault. This identity entity is a member of a group which has been added to the assignment configured for Waypoint’s client in the OIDC provider. At this point I’m stuck at a redirect URI mismatch prompt after logging in to Vault. Any help with this would be appreciated; I’d really like to move my team over to OIDC auth over the token system!
Command:
waypoint login -auth-method=vault -vvv
During the login process, this is what is logged when I am taken to the Vault login page:
2021-12-23T18:22:30.153-0500 [TRACE] waypoint: requesting version info from server
2021-12-23T18:22:30.211-0500 [INFO] waypoint: server version info: version=v0.6.2 api_min=1 api_current=1 entrypoint_min=1 entrypoint_current=1
2021-12-23T18:22:30.211-0500 [INFO] waypoint: negotiated api version: version=1
2021-12-23T18:22:30.211-0500 [INFO] waypoint: login method: method=OIDC
Complete the authentication by visiting your authentication provider.
Opening your browser window now. If the browser window does not launch,
please visit the URL below:
https://vault.service.dc1.consul:8200/ui/vault/identity/oidc/provider/vault-provider/authorize?client_id=my-client-d&nonce=the-nonce&redirect_uri=http%3A%2F%2F127.0.0.1%3A64463%2Foidc%2Fcallback&response_type=code&scope=openid&state=state-string
Vault login page, after successfully authenticating:
Additionally, the client has been configured with the redirect URIs mentioned in the documentation. I think what the problem potentially could be is that the redirect URI (mentioned above from the CLI logs) is not literally http://127.0.0.1/oidc/callback, but rather it contains a random port value after localhost. From my limited experience with OIDC, from what I can gather the allowed redirect URIs must contain an exact match for the redirect.
vault read identity/oidc/client/waypoint
Key Value
--- -----
access_token_ttl 2h
assignments [my-assignment]
client_id my-client-id
client_secret my-client-secret
id_token_ttl 1h
key wp-key
redirect_uris [http://127.0.0.1/oidc/callback https://waypoint-ui.service.dc1.consul:9702/oidc/callback]
Here’s what my auth-method settings are:
waypoint auth-method inspect vault
name: "vault"
display_name: "vault"
oidc: <
client_id: "my-client-id"
client_secret: "[REDACTED: client secret]"
discovery_url: "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-oidc-provider"
discovery_ca_pem: "----MY_CERT_FOR_VAULT-----"
>
And the configuration of my OIDC provider in Vault is below:
{
"issuer": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider",
"jwks_uri": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider/.well-known/keys",
"authorization_endpoint": "https://vault.service.dc1.consul:8200/ui/vault/identity/oidc/provider/vault-provider/authorize",
"token_endpoint": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider/token",
"userinfo_endpoint": "https://vault.service.dc1.consul:8200/v1/identity/oidc/provider/vault-provider/userinfo",
"request_uri_parameter_supported": false,
"id_token_signing_alg_values_supported": [
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"EdDSA"
],
"response_types_supported": [
"code"
],
"scopes_supported": [
"user",
"openid"
],
"subject_types_supported": [
"public"
],
"grant_types_supported": [
"authorization_code"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
]
}
Along with the fancy features of limiting access to that of only one group I created in Vault for admins of Waypoint.