Vault write oidc role - Potential Bug

I believe that I have found a bug within vault, before I raise a bug report can someone verify that I haven’t made any errors.
This issue is only manifest when configuring vault oidc roles within nested namespaces.

I am working on vault: 1.15.0-rc1+ent, (although this issue was in v1.14.2+ent)
I have been using the instructions located at

I have created a nested list of namespaces
a1/b0

  1. I have configured the root namespace to use OIDC (Keycloak) to create 2 roles (default & admin)
  2. I have then repeated the procedure to configure OIDC in a1 to create 2 roles (default & admin)

Both of these work correctly with both roles via the UI.
The basic configuration for 1 is:

vault auth enable oidc

vault write auth/oidc/config \
oidc_discovery_url=“https://<keycloak Server>:8443/auth/realms/<realm name>” \
oidc_client_id=“vault_test” \
oidc_client_secret=“<keycloak realm secret>” \
default_role=“oidc_default”

vault write auth/oidc/role/oidc_default \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_default”

vault write auth/oidc/role/oidc_admin \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_admin”

The basic configuration for 2 is

vault auth enable -namespace=“a1” oidc

vault write -namespace=“a1” auth/oidc/config \
oidc_discovery_url=“https://<keycloak Server>:8443/auth/realms/<realm name>” \
oidc_client_id=“vault_test” \
oidc_client_secret=“<keycloak realm secret>” \
default_role=“oidc_a1_default”

vault write -namespace=“a1” auth/oidc/role/oidc_a1_default \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_a1_default”

vault write -namespace=“a1” auth/oidc/role/oidc_a1_admin \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_a1_admin”

As stated both of these work correctly with OIDC, and vault read <role>

This is where the issue arises
for a1/b0 I use

vault auth enable -namespace=“a1/b0” oidc

vault write -namespace=“a1/b0” auth/oidc/config \
oidc_discovery_url=“https://<keycloak Server>:8443/auth/realms/<realm name>” \
oidc_client_id=“vault_test” \
oidc_client_secret=“<keycloak realm secret>” \
default_role=“oidc_b0_default”

vault write -namespace=“a1/b0” auth/oidc/role/oidc_b0_default \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_b0_default”

vault write -namespace=“a1/b0” auth/oidc/role/oidc_b0_admin \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_b0_admin”

When I attempt to login using either the oidc_b0_admin or oidc_b0_default roles I get the following error:

Missing auth_url. please check that allowed_redirect_uris for the role include this mount path

When I run the command:

vault read a1/b0/auth/oidc/role/oidc_b0_<role>, or
vault read -namespace=“a1/b0” auth/oidc/role/oidc_b0_<role>

the command only shows the localhost allowed_redirect_uris

Key Value
--- -----
allowed_redirect_uris [http://localhost:8250/oidc/callback]

when it should show both uris as per the command.
I can tweak the vault role command to remove the localhost uri and only have the FQDN redirect_uri and I can then use the role to authenticate using the vault UI. but for some reason both of the redirect_uris are not being added to this role. This is working for the parent namespaces with the same commands.

I have tried using

allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback, http://localhost:8250/oidc/callback

with no luck, in all instances the command returns

Success! data written to a1/b0/auth/oidc/role/oidc_b0_

Looking at the logs I for the above role commands I get

“path”: “auth/oidc/role/oidc_b0_admin”,
“data”: {
“allowed_redirect_uris”: “http://localhost:8250/oidc/callback”,
“bound_audiences”: “vault_test”,
“policies”: “oidc_b0_admin”,
“user_claim”: “preferred_username”,
" allowed_redirect_uris": “https://<Vault Cllient>:8200/ui/vault/audit/oidc/oidc/callback”
},

Note the " allowed_redirect_uris" starting with a space on the 2nd allowed_redirect_uris is in the log, but not within my vault command.

All of this data has been hand typed as the system exists in an air gapped environment.