Problem getting OIDC to work with Azure in the UI - CLI works fine!

I’ve setup a vault instance connected to Azure AD authentication using the OIDC mechanism as described here:

https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html

This seems to work perfectly in the CLI:

vault login -method=oidc role=“default”

Complete the login via your OIDC provider. Launching browser to:

https://login.microsoftonline.com/

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.

If I try it via the web-UI however, the flow is:

  1. Open vault UI
  2. Select “OIDC” method and “default” role
  3. Click login
  4. New browser window pops up asking for Azure AD authentication
  5. After login, redirects to a vault callback URL that displays:

" Signing in with your OIDC provider…
This window will close automatically"

  1. Redirects again (in the popup) to:

https://vault.customer.com/ui/vault/auth?redirect_to=%2Fvault%2Fauth%2Foidc%2Foidc%2Fcallback%3Fcode%%26state%3Dffbc5c502335110672bcf9a182da96c00f368cb3%26session_state%3Dd7f51155-95c6-4370-a872-341829ccaff7&with=token

At this stage I am simply seeing the standard “Sign in to Vault” form which is defaulting to Token login again - in the popup window.

The main browser window is still in the OIDC flow (greyed out, vault logo flashing).

If I then close the popup window, the main window gets an error:

" Error

The provider window was closed before authentication was complete. Please click Sign In to try again."

Since the whole flow appears to work in CLI, and I manage to get authenticated in Azure through the UI aswell, I believe the issue is in the redirect configuration in the vault somewhere. This is the vault configuration (as documented):

vault write auth/oidc/config oidc_discovery_url=“https://login.microsoftonline.com//v2.0” oidc_client_id="" oidc_client_secret="" default_role=“default”

vault write auth/oidc/role/default allowed_redirect_uris=“http://localhost:8250/oidc/callback,https://vault.customer.com/ui/vault/auth/oidc/oidc/callback” user_claim=“email” groups_claim=“groups” policies=“default”

Does anyone have any suggestions on how to debug this further, or an idea of what I am doing wrong?

Thanks in advance!

Hi,

I’m not seeing anything wrong with your configuration. And if the Vault server log isn’t showing any errors about redirects not being allowed, then the URLs are probably OK. We have seen on at least one occasion a browser plugin cause some odd behavior during redirects. So one idea would be to try different browsers, and also try starting them without plugins. It may help rule out that sort of issue, or browser specific behavior.

Regards,
Jim

Heh you are right! Works perfectly fine in chromium, while it refuses to work in Brave. I’ll see if I can narrow it down to a specific plugin or configuration tomorrow, thanks for the tip!

Can’t seem to narrow down the cause: Brave Shield is disabled for both Vault and Azure domains, no popup blockers active, no relevant errors in the console. So for anyone else experiencing this issue when attempting to configure OIDC: try with a different browser than Brave.

Thanks again for the help Jim.

I experienced same issue. This happens when your browser is blocking pop-up window.

I’m suddenly having this same issue after weeks of normal operation with Vault 1.12.2.
I click on “Sign in with OIDC provider”, and almost immediately the main window shows “Error: The provider window was closed before authentication was complete. Please click Sign In to try again.”.
However, no browser works (tested Brave, Chrome, Firefox, Safari, using “incognito” windows, so it’s not browser specific, extension related or pop-up blocker related.
But CLI works.
Can’t see anything interesting in the logs.
Any suggestion?

Voiprodrigo, are you on MacOS (you mention Safari so I assume you are)?

Can you please confirm if the browser window you are signing in to the Vault UI with is in full screen mode? If so, toggle the window into windowed mode and repeat the sign in.

Let me know the result.

Hi @abest , correct, MacOS. I don’t use full screen mode, so all testing was done in windowed mode. I’ll test full screen though, just for the sake of it. Will update shortly.

Update: same problem in full-screen. A bit worse because in FS mode (at least in Brave), the auth window opens in a new tab, not in a pop-up.

Should also note that a colleague using Windows has the same issue (I believe he uses Chrome), this is not OS specific.

So, there IS an open issue for this problem with Firefox. OIDC login fails when using Firefox in fullscreen on macOS · Issue #17584 · hashicorp/vault · GitHub.

That mirrors my experience and testing so the issue has had a :+1: from me. I also updated the issue with the repro steps I devised.

1 Like

Indeed. Though in my case, this is happening to users in both Windows and Mac, using Firefox or Chrome, full-screen or windowed. There’s no combination of it where it still manages to work.