I have configured my test Vault with an OIDC provider and can successfully authenticate with the vault CLI against my test Vault. So far so good.
Now I need to write a command-line utility which fetches a secret from that Vault, still with OIDC authentication … and without using the vault CLI. My thoughts were:
- Get the auth_url from Vault
- Display the link to the user and asking him/her to:
2a) open a browser
2b) authenticate at the OIDC provider
2c) paste the AuthCode to my command-line utility
- Then my command-line utility can send this to the OIDC Callback URL
/auth/jwt/oidc/callback at Vault and receive the token
I know I could use the CLI as well … no need to mention this. Also I will try to offer an HTTP endpoint in the command-line utility where the redirect with the code can be sent to.
So I send a request like the following:
But sadly, instead of the desired auth_url, I get an HTTP 400 with the error “missing client token”.
Obviously I do not have a client token at this point in time, since I am yet trying to authenticate and for that I need to get the auth_url. Am I missing something here?