Oidc login redirect problem related to azure ad integration!

Vault
1

I’m testing with azure vm for vault and azure ad integration.

When I log in to oidc with ui after configuration, redirect does not work, can you figure out the cause?

I can’t even log in with the cli.

When I try curl, the 8250 connection refused message appears, but the port does not exist in the routing.

os firewall is disabled, azure network is also open to 8250 port.

What’s the problem?

#vault auth enable oidc
#vault write auth/oidc/config oidc_discovery_url=“https://login.microsoftonline.com//v2.0” oidc_client_id="" oidc_client_secret=""
#vault write auth/oidc/role/devops user_claim=“email” oidc_scopes=“https://graph.microsoft.com/.default” groups_claim=“devops” policies=default ttl=1h allowed_redirect_uris=“http://localhost:8250/oidc/callback” allowed_redirect_uris=“http://localhost:8200/ui/vault/auth/oidc/oidc/callback
#vault write identity/group name=“devops” type=“external” policies=“default”

I also set the redirect uri to “http://localhost:8250/oidc/callback”, “http://localhost:8200/ui/vault/auth/oidc/oidc/callback” in azure ad’s app settings.

Please comment!

2

I believe the allowed_redirect_uris should be passed in as a comma separated string. Also, the user and groups claim parameters should leverage an attribute name passed in via the OIDC/JWT token. For the groups_claim this is normally groups or roles, if I recall correctly.

So your command should look more like this:

vault write auth/oidc/role/devops \
user_claim="email"  \
oidc_scopes="https://graph.microsoft.com/.default" \
groups_claim="groups" \
policies=default ttl=1h \
allowed_redirect_uris="http://localhost:8250/oidc/callback,http://localhost:8200/ui/vault/auth/oidc/oidc/callback"

The 8250 port is only active when you’re attempting to authenticate from the Vault CLI. This port is active locally on the device (as in, only this device will be able to access the port) you’re trying to authenticate from (the Vault binary spins up a very temporary web server to process the OIDC process flow, once the flow completes the service is stopped and there is likely a timeout as well).

The second URI, the one with the 8200 port, should be the user facing URL that your Vault cluster uses. If Vault is behind a load balancer with a different port, use the load balancer URL and associated port (e.g., https://my_vault.example.com/ui/vault/auth/oidc/oidc/callback).

The OIDC registration in Azure should contain all the URIs as configured in Vault.

You’ll also need to create an Identity Alias for your identity group.

vault write identity/group-alias name=${azure_group_id} mount_accessor=${mount_accessor_id_of_oidc_auth_mount} canonical_id=${id_number_of_entity_group}