Not able to login with Google OIDC auth

Question

Not able to login with Google OIDC auth

raulkozy opened this issue 5 years ago · 1 comments

Hi Team,

I tried configuring Google login through OIDC auth

below are the details of the same
#1 Enabled OIDC auth in vault using
vault enable auth oidc

#2 @google Developer Console i have redirect path Configured as.
https://Domain_NAME/ui/vault/auth/oidc/oidc/callback

#3 I have Executed the below command to configure the OIDC auth .
vault write auth/oidc/config \ oidc_discovery_url="https://accounts.google.com" \ oidc_client_id="6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com", \ oidc_client_secret="Lp71KRw83ZCkSptuzULRFPr", \ default_role="gmail"

#4 I have created a policy as demo as
path "/*" { capabilities = ["create", "read", "update", "delete", "list"] }

#5 I have Executed the below command to define a new OIDC role.
vault write auth/oidc/role/gmail \ user_claim="sub" \ bound_audiences=6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com \ allowed_redirect_uris=https://Domain_NAME/ui/vault/auth/oidc/oidc/callback \ policies=demo \ ttl=1h

#6 after configuring these steps when i try to login to vault using OIDC i get an error and there is no option to login with google below is the screenshot of same.

#7 The config and role read as following
`$ vault read auth/oidc/config
Key Value

bound_issuer n/a
default_role gmail
jwks_ca_pem n/a
jwks_url n/a
jwt_supported_algs []
jwt_validation_pubkeys []
oidc_client_id 6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com,
oidc_discovery_ca_pem n/a
oidc_discovery_url https://accounts.google.com`

`vault read auth/oidc/role/gmail
Key Value

allowed_redirect_uris [https://Domain_NAME/ui/vault/auth/oidc/oidc/callback]
bound_audiences [6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com]
bound_claims
bound_subject n/a
claim_mappings
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
not_before_leeway 0
oidc_scopes
policies [demo]
role_type oidc
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [demo]
token_ttl 1h
token_type default
ttl 1h
user_claim sub
verbose_oidc_logging false
`

kindly let me know where the config went wrong.
As i tried the same set of steps with Keycloak(a different OIDC provider) but landed at the same issue.
Thanks in advance.
:-)

Answer 1 · 2019-11-06T10:03:05.000Z

Tried To Investigate the url of the authentication window.

There was an extra parameter "%2C" which is a hexadecimal code for ","
So there is a small correction with the commands
presenting the correct and the incorrect one as follows.

The In-Correct Config

vault write auth/oidc/config \ oidc_discovery_url="https://accounts.google.com" \ oidc_client_id="<Client_Id>", \ oidc_client_secret="<Secret_Id>", \ default_role="gmail"

The Correct Config

vault write auth/oidc/config \ oidc_discovery_url="https://accounts.google.com" \ oidc_client_id="<Client_Id>" \ oidc_client_secret="<Secret_Id>" \ default_role="gmail"

There is a small "," at the end of client_id & Secret_id which played the trick.

Closing the issue.