Vault OIDC provider /authorize endpoint permission denied

gnadaban · April 18, 2024, 3:48pm

Hi all,

I’m looking at using the Vault OIDC provider’s /authorize API directly without using the Vault UI, ie. calling
/v1/identity/oidc/provider/<name>/authorize instead of /ui/vault/identity/oidc/provider/<name>/authorize.

This is essentially what the UI itself calls when doing sign-on.

However, apparently this /authorize endpoint does not work without providing a Vault token.
Eg:

curl \
    --request GET \
    -G \
    -d "response_type=code" \
    -d "client_id=$CLIENT_ID" \
    --data-urlencode "scope=email openid profile groups" \
    --data-urlencode "redirect_uri=$CALLBACK_URI" \
    https://$VAULT_SERVER/v1/identity/oidc/provider/$PROVIDER_NAME/authorize

The only relevant example I found here uses the X-Vault-Token header.

My question is, why does using the authorization endpoint require authorization?

Please advise,
George

Topic		Replies	Views
How does vault authorize the /identity/oidc/provider/:name/authorize endpoint? Vault	0	159	October 19, 2023
Identity entity must be associated with the request Vault	6	544	January 18, 2023
[Vault] Cannot pass authorization via API using OIDC method Vault	0	209	November 3, 2023
Using OIDC token for authenticating VAULT APIs Vault vault	1	579	February 8, 2022
Vault as an OAuth/OIDC Identity Provider Vault	7	3022	December 13, 2021

Vault OIDC provider /authorize endpoint permission denied

Related topics