Unable to authenticate via CLI

sushzhere · April 5, 2025, 1:29pm

Hi,
I have configured OIDC as an authentication provider and it works well when working with Vault UI. However, with the CLI I get below error:
Error authenticating: listen tcp [::1]:8250: bind: cannot assign requested address
I checked but the port was free so not able to understand what is the issue.

jonathanfrappier · April 7, 2025, 12:38pm

When you configured the OIDC provider in Vault, what did you set for allowed_redirect_uris? Similarly, what did you use for sign-in redirects in your OIDC provider? There needs to be one for localhost when using the CLI.

You can see an example Okta and Vault config here where you add the redirect in Okta, and also configure in the Vault auth method.

sushzhere · April 9, 2025, 4:45pm

Yes, I have added that on both sides. I have used https://localhost:8250/oidc/callback in the redirect URI. When this URL wasn’t updated, the error was different but now its only the port. Is it related to a network issue?

jonathanfrappier · April 9, 2025, 7:50pm

Out of curiosity, what if you set the callback in your IDP and Vault to http instead of https? If you don’t have a trusted certificate (unless you made your own for localhost?), I would imagine there would be errors going to https for the CLI callback.

sushzhere · April 10, 2025, 2:08am

I had tried that but same error.
Infact if I remove http://localhost:8250/oidc/callback from the allowed_redirect_uris, I get Error authenticating: Unable to authorize role "verify" with redirect_uri "http://localhost:8250/oidc/callback". Check Vault logs for more information.
If I add it, then Error authenticating: listen tcp [::1]:8250: bind: cannot assign requested address

jonathanfrappier · April 10, 2025, 11:37am

Did you truncate any callback configs - either in Vault or in your IDP with listen tcp [::1]:8250?

sushzhere · April 12, 2025, 1:53pm

Hi @jonathanfrappier, I am not sure if I understand the question correctly. I am attaching the screenshot from Vault and OIDC provider for the redirect uris that I have set. Hope it helps narrow down the issue.

jonathanfrappier · April 15, 2025, 2:26pm

I don’t think you need that last redirect `https://hashivault1…com:8200/oidc/callback - wonder if that is conflicting with the localhost redirect.

Here is an example config with Okta:

sushzhere · April 18, 2025, 11:37am

No, it isn’t conflicting. I removed it but the error still persists.

jonathanfrappier · April 19, 2025, 4:56pm

What is your OIDC provider? I can follow the tutorial and set it up with that provider to see if I can reproduce it.

sushzhere · April 26, 2025, 7:27am

It is IBM Verify SaaS.
I followed OIDC authentication with Okta | Vault | HashiCorp Developer for the integration.

Topic		Replies	Views
Problems with Vault OIDC authentication via CLI Vault vault	3	868	June 15, 2023
OIDC Integration with Google Vault	1	689	November 26, 2019
Using OIDC as auth type connecting to Vault from CLI always shows the redirect url as localhost Vault	7	770	August 31, 2023
Configuring redirect uris for cli login to vault via oidc Vault	3	1192	September 12, 2023
What exactly are `allowed_redirect_uris`? Vault	4	1167	May 4, 2022

Unable to authenticate via CLI

Related topics