Oidc login redirect problem related to azure ad integration!

s2lee · March 15, 2022, 5:54am

I’m testing with azure vm for vault and azure ad integration.

When I log in to oidc with ui after configuration, redirect does not work, can you figure out the cause?

I can’t even log in with the cli.

When I try curl, the 8250 connection refused message appears, but the port does not exist in the routing.

os firewall is disabled, azure network is also open to 8250 port.

What’s the problem?

#vault auth enable oidc
#vault write auth/oidc/config oidc_discovery_url=“https://login.microsoftonline.com//v2.0” oidc_client_id="" oidc_client_secret=""
#vault write auth/oidc/role/devops user_claim=“email” oidc_scopes=“https://graph.microsoft.com/.default” groups_claim=“devops” policies=default ttl=1h allowed_redirect_uris=“http://localhost:8250/oidc/callback” allowed_redirect_uris=“http://localhost:8200/ui/vault/auth/oidc/oidc/callback”
#vault write identity/group name=“devops” type=“external” policies=“default”

I also set the redirect uri to “http://localhost:8250/oidc/callback”, “http://localhost:8200/ui/vault/auth/oidc/oidc/callback” in azure ad’s app settings.

Please comment!

jeffsanicola · March 15, 2022, 12:05pm

I believe the allowed_redirect_uris should be passed in as a comma separated string. Also, the user and groups claim parameters should leverage an attribute name passed in via the OIDC/JWT token. For the groups_claim this is normally groups or roles, if I recall correctly.

So your command should look more like this:

vault write auth/oidc/role/devops \
user_claim="email"  \
oidc_scopes="https://graph.microsoft.com/.default" \
groups_claim="groups" \
policies=default ttl=1h \
allowed_redirect_uris="http://localhost:8250/oidc/callback,http://localhost:8200/ui/vault/auth/oidc/oidc/callback"

The 8250 port is only active when you’re attempting to authenticate from the Vault CLI. This port is active locally on the device (as in, only this device will be able to access the port) you’re trying to authenticate from (the Vault binary spins up a very temporary web server to process the OIDC process flow, once the flow completes the service is stopped and there is likely a timeout as well).

The second URI, the one with the 8200 port, should be the user facing URL that your Vault cluster uses. If Vault is behind a load balancer with a different port, use the load balancer URL and associated port (e.g., https://my_vault.example.com/ui/vault/auth/oidc/oidc/callback).

The OIDC registration in Azure should contain all the URIs as configured in Vault.

You’ll also need to create an Identity Alias for your identity group.

vault write identity/group-alias name=${azure_group_id} mount_accessor=${mount_accessor_id_of_oidc_auth_mount} canonical_id=${id_number_of_entity_group}

Topic		Replies	Views
OIDC CLI login redirecting to localhost (with Azure AD) Vault azure	6	1782	January 14, 2022
Problem getting OIDC to work with Azure in the UI - CLI works fine! Vault	9	2834	January 18, 2023
OIDC configuration with Azure AD (Entra) Vault vault	3	1003	February 26, 2024
Configuring redirect uris for cli login to vault via oidc Vault	3	1273	September 12, 2023
Trying to connect via OIDC with gitlab Vault	5	1666	October 21, 2021

Oidc login redirect problem related to azure ad integration!

Related topics