Vault: UI Sign-in button broken for OIDC auth method with Okta

Created on 27 Oct 2020  路  5Comments  路  Source: hashicorp/vault

Describe the bug
UI sign-in button doesn't do anything when using a configured OIDC auth method (tested with Okta)

To Reproduce
Steps to reproduce the behavior:

  1. Configure OIDC auth method using Okta
  2. Attempt to login via the UI with said auth method
  3. Nothing happens (when capturing network request logs in Chrome only changes to the Role textbox generate requests, but not actual clicks on the sign-in button).

Expected behavior
Logging in successfully.

Environment:

  • Vault Server Version (retrieve with vault status): 1.5.4
  • Vault CLI Version (retrieve with vault version): 1.5.5
  • Server Operating System/Architecture: Kubernetes architecture (Official Helm chart version 0.8.0)

Vault server configuration file(s):

ui = true

listener "tcp" {
    address = "[::]:8200"
    cluster_address = "[::]:8201"
    tls_cert_file = "/etc/pki/tls.crt"
    tls_key_file  = "/etc/pki/tls.key"
}

storage "gcs" {
    bucket = "my-gcs-bucket"
    ha_enabled = "true"
}

service_registration "kubernetes" {}

Additional context
Using the CLI to log in with said auth method works perfectly using the following command:
vault login -method=oidc -path=my_okta_oidc role=my_role

picture NightmareCinema
👍2

Most helpful comment

Hey @tvoran - good call - I had an extra / in my URL. Got it working now!

picture jeffsanicola on 29 Oct 2020
🎉2

All 5 comments

Same issue with Azure. Running Vault 1.5.4

jeffsanicola picture jeffsanicola on 29 Oct 2020

Hi folks, I'm not able to reproduce this issue, so I wonder if you've double-checked the redirect_urls in your oidc config, and also if there's anything being logged on the vault side? You also may want to test a different web browser too, in case there's an extension blocking something.

tvoran picture tvoran on 29 Oct 2020
🎉1

Hey @tvoran - good call - I had an extra / in my URL. Got it working now!

jeffsanicola picture jeffsanicola on 29 Oct 2020
🎉2

@NightmareCinema So in trying this some more, I found that if the default_role was set to a non-existent vault role, then I get the behavior you describe. Wondering if that is what's happening in your case?

tvoran picture tvoran on 30 Oct 2020

Hi folks, I'm not able to reproduce this issue, so I wonder if you've double-checked the redirect_urls in your oidc config, and also if there's anything being logged on the vault side? You also may want to test a different web browser too, in case there's an extension blocking something.

That was it. I had a mismatch in my allowed redirect urls caused by my port number. Now everything is truly identical and works smoothly! Many thanks!

NightmareCinema picture NightmareCinema on 1 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

emk picture emk  路  79Comments
Miserlou picture Miserlou  路  45Comments
TopherGopher picture TopherGopher  路  36Comments
ekristen picture ekristen  路  60Comments
tamalsaha picture tamalsaha  路  34Comments