New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault cli doesn't listen on secure port during oidc login even when explicitly asked to do so #17130
Comments
I am able to workaround the problem by running a haproxy server on the client side, which listens on a secure port 9443, and forwards traffic to insecure port 8250. I had to register https://localhost:9443 in the redirect urls in oidc and allowed_redirect_uris in the vault oidc role. This works for us, because all our users are expected to login from a single jump server, however, I strongly feel this is something needs to taken care of by the vault client itself |
I've been able to reproduce this issue but am unable to work around it as @soumyadeep-paul-ibm has been since all of my users login from their own workstations. Our Identity Provider also does not permit http (non-TLS) endpoints. Additionally, I was investigating OIDC authentication because #18875 prevents us from upgrading Vault. |
The right way forward here, is to fix the Identity Provider to permit http://localhost callback URLs. You can't use TLS without a certificate, and you can't realistically get a meaningful certificate issued for localhost. Therefore a client program executing on the same computer as the web browser and seeking to use it as a login UI, requires a non-TLS redirect URL. But, in this use-case, the traffic is not traversing any real network, it's flowing directly over the localhost interface within a single machine, negating the majority of reasons to want TLS in the first place. Vault is not doing anything weird here... this technique is specifically documented in https://www.ietf.org/rfc/rfc8252.html#section-7.3 |
@maxb Thanks for the link to the RFC. It does look like loopback redirection should be fine over http so I've raised that issue with the Identity Provider. However, the JWT/OIDC Auth Method documentation does state that:
Which would lead me to believe that the intention was to actually implement more than just the 'http' method. So I think there still needs to be something done here. Perhaps either:
|
You make a good point... I cannot think of any way a user could usefully make use of the callbackmethod option. Perhaps it should just be removed outright. |
Just wanted to chime in an say I use the callbackmethod option, don't remove it! I'm running the vault cli inside code-server.
code-server helm: extraPorts:
- name: vault-cb
port: 8250
protocol: TCP Gatway Route: apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: code-server
namespace: code
spec:
parentRefs:
- name: envoy-gateway-opnsense
kind: Gateway
group: gateway.networking.k8s.io
namespace: envoy-gateway
sectionName: https
hostnames:
- "my-coder-server.com"
rules:
- backendRefs:
- name: code-server
group: ''
kind: Service
namespace: code
port: 8080
weight: 1
matches:
- path:
type: PathPrefix
value: /
- backendRefs:
- name: code-server
group: ''
kind: Service
namespace: code
port: 8250
weight: 1
matches:
- path:
type: Exact
value: /oidc/callback |
Should this have label:bug? This is not working as intended |
During a CLI authentication with oidc, we see is localhost listen to a insecure port 8250, irrespective of
callbackmethod=https
andcallbackport=9443
Does this mean, we need to make arrangement for forwarding the traffic to insecure port 8250 ?
Environment:
Vault Version:
Client : Vault v1.11.3 ('17250b25303c6418c283c95b1d5a9c9f16174fe8+CHANGES'), built 2022-08-26T10:27:10Z
Server: Vault v1.11.3 (17250b2), built 2022-08-26T10:27:10Z
Operating System/Architecture:
root@icfra02vault-pocpibmvault01 ~]# uname -a
Linux icfra02vault-pocpibmvault01 3.10.0-1160.el7.x86_64 Initial Website Import #1 SMP Tue Aug 18 14:50:17 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@icfra02vault-pocpibmvault01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
Vault Config File:
Startup Log Output:
Expected Behavior:
vault login -method=oidc callbackmethod=https skip_browser=true
This generates a callback url
https://localhost:8250/oidc/callback
, The temporary service running on port 8250 should configure a TLS certificate.Actual Behavior:
The local port 8250 runs without a certificate and when we complete the oidc authentication, we get error
This is caused by no certificate is configured on port 8250
Steps to Reproduce:
https://localhost:8250/oidc/callback
(Along with any other for vault ui)Important Factoids:
Our OIDC provider doesn't allow adding a http url and we must add https url only.
References:
The text was updated successfully, but these errors were encountered: