I believe that I have found a bug within vault, before I raise a bug report can someone verify that I haven’t made any errors.
This issue is only manifest when configuring vault oidc roles within nested namespaces.
I am working on vault: 1.15.0-rc1+ent, (although this issue was in v1.14.2+ent)
I have been using the instructions located at
I have created a nested list of namespaces
a1/b0
- I have configured the root namespace to use OIDC (Keycloak) to create 2 roles (default & admin)
- I have then repeated the procedure to configure OIDC in a1 to create 2 roles (default & admin)
Both of these work correctly with both roles via the UI.
The basic configuration for 1 is:
vault auth enable oidc
vault write auth/oidc/config \
oidc_discovery_url=“https://<keycloak Server>:8443/auth/realms/<realm name>” \
oidc_client_id=“vault_test” \
oidc_client_secret=“<keycloak realm secret>” \
default_role=“oidc_default”
vault write auth/oidc/role/oidc_default \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_default”
vault write auth/oidc/role/oidc_admin \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_admin”
The basic configuration for 2 is
vault auth enable -namespace=“a1” oidc
vault write -namespace=“a1” auth/oidc/config \
oidc_discovery_url=“https://<keycloak Server>:8443/auth/realms/<realm name>” \
oidc_client_id=“vault_test” \
oidc_client_secret=“<keycloak realm secret>” \
default_role=“oidc_a1_default”
vault write -namespace=“a1” auth/oidc/role/oidc_a1_default \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_a1_default”
vault write -namespace=“a1” auth/oidc/role/oidc_a1_admin \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_a1_admin”
As stated both of these work correctly with OIDC, and vault read <role>
This is where the issue arises
for a1/b0 I use
vault auth enable -namespace=“a1/b0” oidc
vault write -namespace=“a1/b0” auth/oidc/config \
oidc_discovery_url=“https://<keycloak Server>:8443/auth/realms/<realm name>” \
oidc_client_id=“vault_test” \
oidc_client_secret=“<keycloak realm secret>” \
default_role=“oidc_b0_default”
vault write -namespace=“a1/b0” auth/oidc/role/oidc_b0_default \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_b0_default”
vault write -namespace=“a1/b0” auth/oidc/role/oidc_b0_admin \
bound_audiences=“vault_test” \
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback” \
allowed_redirect_uris=“http://localhost:8250/oidc/callback” \
user_claim=“preferred_username” policies=“oidc_b0_admin”
When I attempt to login using either the oidc_b0_admin or oidc_b0_default roles I get the following error:
Missing auth_url. please check that allowed_redirect_uris for the role include this mount path
When I run the command:
vault read a1/b0/auth/oidc/role/oidc_b0_<role>, or
vault read -namespace=“a1/b0” auth/oidc/role/oidc_b0_<role>
the command only shows the localhost allowed_redirect_uris
Key Value
--- -----
allowed_redirect_uris [http://localhost:8250/oidc/callback]
when it should show both uris as per the command.
I can tweak the vault role command to remove the localhost uri and only have the FQDN redirect_uri and I can then use the role to authenticate using the vault UI. but for some reason both of the redirect_uris are not being added to this role. This is working for the parent namespaces with the same commands.
I have tried using
allowed_redirect_uris=“https://<Vault Client>:8200/ui/vault/auth/oidc/oidc/callback, http://localhost:8250/oidc/callback”
with no luck, in all instances the command returns
Success! data written to a1/b0/auth/oidc/role/oidc_b0_
Looking at the logs I for the above role commands I get
“path”: “auth/oidc/role/oidc_b0_admin”,
“data”: {
“allowed_redirect_uris”: “http://localhost:8250/oidc/callback”,
“bound_audiences”: “vault_test”,
“policies”: “oidc_b0_admin”,
“user_claim”: “preferred_username”,
" allowed_redirect_uris": “https://<Vault Cllient>:8200/ui/vault/audit/oidc/oidc/callback”
},
Note the " allowed_redirect_uris" starting with a space on the 2nd allowed_redirect_uris is in the log, but not within my vault command.
All of this data has been hand typed as the system exists in an air gapped environment.