Hi everybody,
This shows the parameters to create a role as used for OIDC authentication. One of the parameter is allowed_redirect_uris. What exactly are redirect URIs?
Many thanks for your help!
This is documented at JWT/OIDC - Auth Methods | Vault by HashiCorp
1 Like
Thanks @maxb ,
If the user wants to login via the CLI, it says that the redirect URI would usually be http://localhost:8250/oidc/callback. I am really puzzled as to the localhost part of it. Redirect URIs are supposed to be used by the OIDC provider, isn’t it? The OIDC provider will most certainly be on a different machine than the Vault server, so why should localhost be used there?
Many thanks!
This is describing the case in which the user runs vault login -method=oidc at a CLI prompt, and that Vault CLI command itself opens up a local webserver running on localhost:8250.
It then triggers the user’s web browser to open the OIDC provider’s page. When the user’s web browser is redirected to http://localhost:8250/oidc/callback it delivers the response from the OIDC provider to the locally running vault login -method=oidc process. It’s a quirky trick to bridge between the web browser and a CLI application.
2 Likes
All right, thanks for the explanation @maxb.