Vault Azure OIDC Integration Issue

viveksuhanda · April 27, 2021, 1:11pm

Hello Team,

I have been trying to integrate Azure AD along with Vault using the below link,

But after configuration when I try to login it gives me “claim email not found in token”.

When I define the oidc scope as email while writing the role details in oidc auth instead of graph api then the issue is resolved and I am able to retrieve the token. Reference of the step mentioned below,

vault write auth/oidc/role/approle
user_claim=“email”
allowed_redirect_uris=“http://localhost:8250/oidc/callback”
allowed_redirect_uris=“https://${VAULT_ADDR}/ui/vault/auth/oidc/oidc/callback”
groups_claim=“groups”
policies=“kv-reader”
oidc_scopes=“https://graph.microsoft.com/.default”

From Azure side I have verified the steps and we are good on that side. So, kindly let me know if anyone has any idea around this.

ixe013 · April 29, 2021, 1:57am

Post the JWT you get back from Azure-AD. You might have to run your code through a mitmproxy to get it.

That error message is telling you the problem : the JWT you are getting back from AzureAD does not have the email claim in it.

Vault looks for the claim in the ID token. Make sure it’s in it, with the exact same name.

Topic		Replies	Views
"groups," claim not found in token error Vault azure	11	10646	July 14, 2020
Vault Azure AD with OIDC - claim "upn" not found in token Vault vault , azure	5	3954	November 10, 2021
Integration of Azure AD with Hashicorp Vault Vault azure	1	901	July 12, 2021
OIDC - Azure AD & pinned identifier Vault	0	200	March 10, 2023
Azure OIDC Group claim not found, now working but why?!?! Vault	6	3427	September 6, 2023

Vault Azure OIDC Integration Issue

Related topics