Vault: could not parse 'oidc_discovery_ca_pem' value successfully

Created on 20 Mar 2019  路  7Comments  路  Source: hashicorp/vault

Describe the bug
I'm using vault 1.1.0-beta2 and I can't configure OIDC auth method, I have to say that I'm using my company certificate.

When I'm trying to configure OIDC auth method via the UI, I can fill oidc_discovery_url, upload the certificate, it works, but I find nowhere to put client_id and client_token.

To Reproduce

vault auth enable oidc
vault write auth/oidc/config \
    oidc_discovery_url="url-of-my-provider" \
    oidc_client_id="<client-id>", \
    oidc_client_secret="<client-token>", \
    oidc_discovery_ca_pem=''content of `cat my.pem` "

Environment:

  • Vault Server Version: 1.1.0-beta2
  • Vault CLI Version : Vault v1.1.0
  • Server Operating System/Architecture: docker (Redhat for the client, base os of vault docker image for the server)

Vault server configuration file(s):

storage "mysql" {
#   mysql
    address = "vault_mariadb"
    database = "vault"
    tls_ca_file = "/vault/certs/mariadb-server-cert.pem"
    username = "db_user"
    password = "db_pwd"
}
listener "tcp" {
#   tcp
    address = "0.0.0.0:8200"
    tls_disable = "true"
}
cluster_name = ""
cache_size = "32000"
disable_cache = false
disable_mlock = true
disable_sealwrap = false
plugin_directory = ""
default_lease_ttl = "10h"
max_lease_ttl = "18h"
raw_storage_endpoint = false
ui = true
pid_file = ""
# High Availability Parameters
api_addr = ""
cluster_addr = ""
disable_clustering = false

Additional context

I'm trying to configure Keycloak as Open ID Connect provider for vault

picture Leletir

Most helpful comment

@Leletir Can you please try a couple of things.

  1. provide the oidc_discovery_ca_pem parameter like: [email protected]
  2. if that fails, try parsing with another tool to diagnose the cert, e.g. openssl x509 -in my.pem -text
picture kalafut on 26 Mar 2019
👍2

All 7 comments

@Leletir Can you please try a couple of things.

  1. provide the oidc_discovery_ca_pem parameter like: [email protected]
  2. if that fails, try parsing with another tool to diagnose the cert, e.g. openssl x509 -in my.pem -text
kalafut picture kalafut on 26 Mar 2019
👍2

@kalafut setting [email protected] works !!!

Thank you very much !!

Leletir picture Leletir on 28 Mar 2019
🎉1

@kalafut but why the @ ?

Leletir picture Leletir on 28 Mar 2019

That's the CLI mechanism to reference the content of a file: https://www.vaultproject.io/docs/commands/#files

kalafut picture kalafut on 28 Mar 2019

Oh okay 馃槄I miss this part ... Thank you very much !
I've seen you've added documentation about using Keycloak as an OIDC provider.

I'm trying to configure Keycloak as an OIDC provider, I think I still miss some something, each time I try to connect to Vault (via the UI), Vault is asking me for a token (It should redirect me to keyclaok login page isn't it ?)

Leletir picture Leletir on 28 Mar 2019

If you've configured the role as OIDC, once you enter that role name in the UI, the token field should go away, and a login button will be shown which directs you to Keycloak.

kalafut picture kalafut on 28 Mar 2019

Okay I don't have configured the role yet, that's the missing part.

Thank you for your help, there are still some concepts I don't understand, but I think it's because my lack of knowledge about OIDC (bound_audiences, user_claim, bound_claims, groups_claim)

Leletir picture Leletir on 28 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tustvold picture tustvold  路  3Comments
adamroddick picture adamroddick  路  3Comments
andris9 picture andris9  路  3Comments
frntn picture frntn  路  3Comments
narayan8291 picture narayan8291  路  3Comments