We are trying to connect to Vault from CLI using the auth method as OIDC. As an when we use vault login -method=oidc it gives a https url which has the redirect url as localhost.
As we do not have browser on that machine where we are trying to run the vault command, we are copying the url and entering the details in browser and then it redirects to localhost.
Is there a way that we can change the redirect url to servername or ip address instead of localhost when connecting from CLI.
The redirect to localhost is used by the vault client to get the token from the OIDC server through the user’s browser.
The vault command temporarily opens a small http server on the user’s machine at port 8250 to get the token. I do not see an easy way to redirect from the browser running on another machine, as the redirect URI is configured in the OIDC server and you’d need to provide a different URI for each user.
I’m not sure the OIDC authentication method is suitable to be used on a machine without a browser.
Thanks for your reply.
Is there a way that we can get the token for OIDC method using code on the fly so that we can integrate it with our automation scripts?
I’m sorry, I do not understand why you’re using the OIDC method in your script: is the script to be used interactively by different users that need specific authorizations from the IDP to access secrets in Vault?
Could you give us some more details about the specific workflow involved?
Hi,
Usually, we are trying to start an application in which it includes a step where our application will connect with Vault and the only authentication mechanism available for connecting to vault was OIDC.
Is there a way to get the token of the user on the fly by using any of the code based approach(like Java etc.,) and that token we can use it in our code for getting secrets from vault.
Any update on this will be appreciated. Thanks.
I’m afraid I do not understand your app workflow so it’s hard to try to give a hint. Could you give us some more details about the App, i.e. how it interacts with Vault and with the OIDC users?
Do you need to use OIDC because you do not control the Vault platform and OIDC is the only available authentication method you are allowed to use on Vault?
If not, I’d rather let the app authenticate itself (i.e. using AppRole auth method) to get the needed secrets from Vault.
Sorry for the poor answer but I’m groping in the dark here…
Do you need to use OIDC because you do not control the Vault platform and OIDC is the only available authentication method you are allowed to use on Vault?
Yes, you are right. Exactly this is the scenario that we have currently.
What do you mean by AppRole auth method?
Following are the only methods that are available for us in UI.
