I’ve setup a vault instance connected to Azure AD authentication using the OIDC mechanism as described here:
https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html
This seems to work perfectly in the CLI:
vault login -method=oidc role=“default”
Complete the login via your OIDC provider. Launching browser to:
https://login.microsoftonline.com/…
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.
…
If I try it via the web-UI however, the flow is:
- Open vault UI
- Select “OIDC” method and “default” role
- Click login
- New browser window pops up asking for Azure AD authentication
- After login, redirects to a vault callback URL that displays:
" Signing in with your OIDC provider…
This window will close automatically"
- Redirects again (in the popup) to:
https://vault.customer.com/ui/vault/auth?redirect_to=%2Fvault%2Fauth%2Foidc%2Foidc%2Fcallback%3Fcode%%26state%3Dffbc5c502335110672bcf9a182da96c00f368cb3%26session_state%3Dd7f51155-95c6-4370-a872-341829ccaff7&with=token
At this stage I am simply seeing the standard “Sign in to Vault” form which is defaulting to Token login again - in the popup window.
The main browser window is still in the OIDC flow (greyed out, vault logo flashing).
If I then close the popup window, the main window gets an error:
" Error
The provider window was closed before authentication was complete. Please click Sign In to try again."
Since the whole flow appears to work in CLI, and I manage to get authenticated in Azure through the UI aswell, I believe the issue is in the redirect configuration in the vault somewhere. This is the vault configuration (as documented):
vault write auth/oidc/config oidc_discovery_url=“https://login.microsoftonline.com//v2.0” oidc_client_id="" oidc_client_secret="" default_role=“default”
vault write auth/oidc/role/default allowed_redirect_uris=“http://localhost:8250/oidc/callback,https://vault.customer.com/ui/vault/auth/oidc/oidc/callback” user_claim=“email” groups_claim=“groups” policies=“default”
Does anyone have any suggestions on how to debug this further, or an idea of what I am doing wrong?
Thanks in advance!