Redirect to vault UI with a jwt token


For a project using vault I have to create my own “jwt” provider.
I’m using a python flask proxy in a first place, so the user can login to our own authentication plateform, once its done I’m getting a certain ticket that I put into a jwt in order to connect to the Vault.

If I take the “jwt” and put it by myself on the UI this way :

It works perfectly.

What I want to do is to automate this “copy-paste” of jwt.
I saw in the documentation a way to connect using curl post request by using a payload with the jwt but unfortunatly it’s not a " redirection".

Thus when I try to redirect my user to the adress " ```

{"errors":["unsupported operation"]}

On the webpage

Does anyone has a solution about it ?

Have a nice week.

I’m not sure there’s any way implemented to do this.

The supported way would be to use regular OIDC, where you have a JWT/OIDC auth method (they’re the same code, it just goes by two different names) configured with a role that is of role_type oidc.

A user would arrive at the Vault UI, and would click a “Sign in with OIDC” button, and be redirected to your configured OIDC identity provider - which would then redirect back, following the OIDC Authorization Code flow.

If you have a single sign-on solution that does not support OIDC, however, this won’t help you.

Maybe there is a way to redirect someone with a vault-token in its header or something in order to log the user directly to the UI?

Do you have an idea on how does Vault makes the web authentication of a user on the UI?

There is something a bit like this but as far as I know, it’s completely undocumented other than in a few PRs in the Vault repository, and according to Vault UI Auto-Login without Namespace · Issue #17355 · hashicorp/vault · GitHub still has issues which make it an incomplete solution.

My personal recommendation would be to try to do standard OIDC instead.

Thanks for your answers, I will communicate those informations with my team.

Have a nice week-end.