Problem getting OIDC to work with Azure in the UI - CLI works fine!

#1

I’ve setup a vault instance connected to Azure AD authentication using the OIDC mechanism as described here:

https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html

This seems to work perfectly in the CLI:

vault login -method=oidc role=“default”

Complete the login via your OIDC provider. Launching browser to:

https://login.microsoftonline.com/

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.

If I try it via the web-UI however, the flow is:

  1. Open vault UI
  2. Select “OIDC” method and “default” role
  3. Click login
  4. New browser window pops up asking for Azure AD authentication
  5. After login, redirects to a vault callback URL that displays:

" Signing in with your OIDC provider…
This window will close automatically"

  1. Redirects again (in the popup) to:

https://vault.customer.com/ui/vault/auth?redirect_to=%2Fvault%2Fauth%2Foidc%2Foidc%2Fcallback%3Fcode%%26state%3Dffbc5c502335110672bcf9a182da96c00f368cb3%26session_state%3Dd7f51155-95c6-4370-a872-341829ccaff7&with=token

At this stage I am simply seeing the standard “Sign in to Vault” form which is defaulting to Token login again - in the popup window.

The main browser window is still in the OIDC flow (greyed out, vault logo flashing).

If I then close the popup window, the main window gets an error:

" Error

The provider window was closed before authentication was complete. Please click Sign In to try again."

Since the whole flow appears to work in CLI, and I manage to get authenticated in Azure through the UI aswell, I believe the issue is in the redirect configuration in the vault somewhere. This is the vault configuration (as documented):

vault write auth/oidc/config oidc_discovery_url=“https://login.microsoftonline.com//v2.0” oidc_client_id="" oidc_client_secret="" default_role=“default”

vault write auth/oidc/role/default allowed_redirect_uris=“http://localhost:8250/oidc/callback,https://vault.customer.com/ui/vault/auth/oidc/oidc/callback” user_claim=“email” groups_claim=“groups” policies=“default”

Does anyone have any suggestions on how to debug this further, or an idea of what I am doing wrong?

Thanks in advance!

#2

Hi,

I’m not seeing anything wrong with your configuration. And if the Vault server log isn’t showing any errors about redirects not being allowed, then the URLs are probably OK. We have seen on at least one occasion a browser plugin cause some odd behavior during redirects. So one idea would be to try different browsers, and also try starting them without plugins. It may help rule out that sort of issue, or browser specific behavior.

Regards,
Jim

#3

Heh you are right! Works perfectly fine in chromium, while it refuses to work in Brave. I’ll see if I can narrow it down to a specific plugin or configuration tomorrow, thanks for the tip!

#4

Can’t seem to narrow down the cause: Brave Shield is disabled for both Vault and Azure domains, no popup blockers active, no relevant errors in the console. So for anyone else experiencing this issue when attempting to configure OIDC: try with a different browser than Brave.

Thanks again for the help Jim.