I’m suddenly having a login issue after weeks of normal operation with Vault 1.12.2.
I click on “Sign in with OIDC provider”, and almost immediately the main window shows “Error: The provider window was closed before authentication was complete. Please click Sign In to try again.”.
However, no browser works (tested Brave, Chrome, Firefox, Safari, using “incognito” windows, so it’s not browser specific, extension related or pop-up blocker related.
But OIDC workflow initiated via the CLI works.
Can’t see anything interesting in the logs.
One of the differences I can think of between browser OIDC and CLI authentication is the IdP provider-side callback url list.
You’ll use something like this for the browser URL:
and this for the CLI URL:
http://localhost:8250/oidc/callback # for CLI logins
These should both be listed as valid callback URLs. It’s possible there’s an issue around here - ie the vault server (vault.corp.com) hostname changed, the OIDC callback URL list got munged, etc.
The two callbacks are configured correctly, and there was no URL change.
This was all working, until it wasn’t, without any change in Vault.
And this affected two clusters, dev and prod, at the same time, and I’m the only person doing changes on the clusters.
I’ve meanwhile disabled oidc, and reconfigured it all again, just in case, and no luck.
The only thing that changed recently on the IdP side was its TLS certificate. But I’m not configuring a CA for the discovery URL anyway, so it doesn’t really matter. And if the CLI login method works, I don’t see how the issue could be on the IdP side either.
In fact I don’t think Vault is contacting the IdP at all when starting OIDC auth via the UI, I ran a tcpdump and there’s 0 packet exchange with the IdP host. I’m just baffled with this.
Finally found the issue.
I identified that the OIDC Identity Provider started sending this header in its responses:
This header prevents proper communication between the main window and the pop-up window, due to differing origins. More details on A guide to enable cross-origin isolation, which clearly states this header breaks OAUTH flows.