Unable to get a token from OIDC login flow (API only)

grgr · March 31, 2023, 9:09am

Hello,

I’m using OIDC with Azure AD to connect to Vault.
From the UI it works fine but when i use the API with:

POST https://vault.xxxxx.xx/v1/auth/oidc/login

The response is: “role with oidc role_type is not allowed”

auth/oidc/role/default:

Key                        Value
---                        -----
allowed_redirect_uris      [http://localhost:8250/oidc/callback https://vault.xxxxx.xx/ui/vault/auth/oidc/oidc/callback]
bound_audiences            <nil>
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               groups
max_age                    0
not_before_leeway          0
oidc_scopes                [profile]
policies                   [default]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default]
token_ttl                  0s
token_type                 default
user_claim                 email
user_claim_json_pointer    false
verbose_oidc_logging       false

Thank you for your help.

maxb · March 31, 2023, 9:32am

This is functioning as designed. role_type=oidc means a role configured for the browser-based login flow.

role_type=jwt is appropriate for a role you want to use for an API-based login.

grgr · March 31, 2023, 9:50am

So i need to “duplicate” my Azure Ad configuration based on OIDC to JWT Auth ?

maxb · March 31, 2023, 11:16am

You need two roles. Both can be in the same auth method mount (yes, it is somewhat confusing that the same auth method can be mounted under the names oidc or jwt - which behave exactly the same - yet once mounted, each role has a role_type setting which can also be oidc or jwt, which controls how that role behaves).

Some small amount of the configuration will be the same between roles. Not all of it though - some fields only apply to one type or the other.

grgr · March 31, 2023, 12:26pm

I don’t understand that part:

Both can be in the same auth method mount (yes, it is somewhat confusing that the same auth method can be mounted under the names oidc or jwt - which behave exactly the same - yet once mounted

Actually, i have 2 auth methods:

jwt mounted in jwt/ with auth/jwt/role/default
oidc in oidc/ with auth/oidc/role/default

Si i need to configure create a new jwt role under auth/oidc/role ? How i do that

maxb · March 31, 2023, 1:16pm

You are welcome to do this if you wish, and may be forced to if you have a requirement to have different configurations written to auth/jwt/config and auth/oidc/config, that cannot be merged into one.

However, if you do this, the same user logging in via oidc/ and jwt/ will count as two distinct users to Vault. This may or may not matter to you, depending on whether you’re being billed for Vault Enterprise, and which Vault features you are using.

The other option is to create (for example) a role named api-auth at auth/oidc/role/api-auth - docs: JWT/OIDC - Auth Methods - HTTP API | Vault | HashiCorp Developer specifying (amongst other settings) role_type=jwt, and have your services log in by writing to auth/oidc/login with role=api-auth.

It’s up to you how you want to assemble the various building blocks Vault provides.

grgr · April 3, 2023, 9:10am

I created the secondary role as you mentionned.

POST /v1/auth/oidc/role/api

	"name":"api",
	"role_type":"jwt",
	"user_claim":"email",
	"allowed_redirect_uris" : 
"http://localhost:8250/oidc/callback,https://vault.xxxxxxx.io/ui/vault/auth/oidc/oidc/callback",
	"bound_audiences" : ["{client_id}"],
	"oidc_scopes": [
        "https://graph.microsoft.com/.default"
    ]
}

But once i login:

POST /v1/auth/oidc/login

{ "role" : "api", "jwt" : "xxxx" }

I got an “error configuring token validator: unsupported config type”

I don’t understand what i’m missing.

Here is the config from my OIDC auth/oidc/config

{
  "oidc_client_id": "xxx",
  "oidc_client_secret": "xxxx",
  "default_role": "login",
  "oidc_discovery_url": "https://login.microsoftonline.com/xxx/v2.0",
}

maxb · April 3, 2023, 9:33am

Apologies… I trusted the Vault API design to make sense, and believed that since role_type is configurable per role, it would actually be possible to make use of that feature.

Digging around in the code (in https://github.dev/hashicorp/vault-plugin-auth-jwt) I have now come to the conclusion that, due to other restrictions in the code, it’s impossible to get a working configuration with mixed role_types in a single oidc/jwt mount… which is such a silly restriction

Sorry for taking you down a misleading route… I guess you really do need to go back to using a separate auth/jwt/login endpoint on a separate auth mount.

grgr · April 3, 2023, 9:38am

I just created a new auth based on JWT and it works.
I hoped that we can mix as you mentioned early.

Thank you for your help.

Topic		Replies	Views
Problem getting OIDC to work with Azure in the UI - CLI works fine! Vault	9	2803	January 18, 2023
[Vault] Cannot pass authorization via API using OIDC method Vault	0	229	November 3, 2023
Vault oidc login - multiple roles, one login, one token Vault vault	9	2629	July 4, 2023
Using OIDC token for authenticating VAULT APIs Vault vault	1	587	February 8, 2022
JWT Authentication with Vault for Group-Based Policies Vault	0	72	July 23, 2024

Unable to get a token from OIDC login flow (API only)

Related topics