Sign into vault via keycloak oidc

trying to use vault login -method=oidc for keycloak but it doesn’t seem to work.

vault login -method=oidc -path=keycloak role=default

Error authenticating: Unable to authorize role “default” with redirect_uri
“http://localhost:8250/oidc/callback”. Check Vault logs for more information.

Tried with overrides

vault login -method=oidc -path=keycloak role=default username=jeff@domain.com callbackhost=domain.com callbackport=443 callbackmethod=https listenaddress=domain.com

Error authenticating: Unable to authorize role “default” with redirect_uri “https:/domain.com:443/oidc/callback”. Check Vault logs for more information.

2022-06-08T23:36:50.665Z [WARN] auth.oidc.auth_oidc_7644d9f1: unauthorized redirect_uri: redirect_uri=https://domain.com:443/oidc/callback
2022-06-08T23:37:36.816Z [WARN] auth.oidc.auth_oidc_7644d9f1: unauthorized redirect_uri: redirect_uri=http://domain.com:8250/oidc/callback
unauthorized redirect_uri: redirect_uri=http://localhost:8250/oidc/callback

In keycloak I have set the vaild redirect
http://localhost:8250/oidc/*
https://domain.com/oidc/*

It’s typically recommended not to use wildcards in redirect URI configuration if you don’t have to - and you do not have to with Vault.

http://localhost:8250/oidc/callback is a correct redirect URI for logging in using the Vault CLI.

However, the other URIs in your post look like you’re just making up incorrect URIs. The actual URIs used by Vault OIDC are documented at https://www.vaultproject.io/docs/auth/jwt#redirect-uris.

Also, from the log messages you quote, it sounds like you haven’t configured the allowed_redirect_uris value on your Vault OIDC role - this parameter: https://www.vaultproject.io/api-docs/auth/jwt#allowed_redirect_uris also shown in the CLI example at point 3 of https://www.vaultproject.io/docs/auth/jwt#configuration.