What exactly are `allowed_redirect_uris`?

Hi everybody,

This shows the parameters to create a role as used for OIDC authentication. One of the parameter is allowed_redirect_uris. What exactly are redirect URIs?

Many thanks for your help!

This is documented at JWT/OIDC - Auth Methods | Vault by HashiCorp

Thanks @maxb ,

If the user wants to login via the CLI, it says that the redirect URI would usually be http://localhost:8250/oidc/callback. I am really puzzled as to the localhost part of it. Redirect URIs are supposed to be used by the OIDC provider, isn’t it? The OIDC provider will most certainly be on a different machine than the Vault server, so why should localhost be used there?

Many thanks!

This is describing the case in which the user runs vault login -method=oidc at a CLI prompt, and that Vault CLI command itself opens up a local webserver running on localhost:8250.

It then triggers the user’s web browser to open the OIDC provider’s page. When the user’s web browser is redirected to http://localhost:8250/oidc/callback it delivers the response from the OIDC provider to the locally running vault login -method=oidc process. It’s a quirky trick to bridge between the web browser and a CLI application.

All right, thanks for the explanation @maxb.