Regression: OIDC Login 'role with oidc role_type is not allowed' #14671
Comments
|
Hi, @braunsonm. Thanks for opening this issue. We've determined that this error occurs when logging in through the Vault UI using an OIDC auth mount listed in the "tabs" of the login form. The auth mounts listed in these "tabs" are those that have listing_visibility set to The team is working on a fix for this. Until then, there is a workaround. Instead of selecting the specific OIDC auth mount from the "tabs", select the "Other" tab. From there, you'll see a "Method" select box where you can select "OIDC". Let me know if this works for you. Again, we apologize for these regressions in the OIDC auth form. These issues have helped us identify testing gaps, so we really appreciate you opening them. |
|
Thanks @austingebauer that work around does in fact work. Appreciate the quick responses I have gotten in reporting these issues to Hashicorp. |
|
Just to state, I have confirmed this has been resolved with upgrading from 1.9.6 to 1.10.3 |
|
We updated Vault from 1.10.4 to 1.11.3 and the problem is back again. Please reopen. |
|
Can confirm what @klaphi says - the problem is back on version 1.11.3 (which is the latest also in HCP Vault). Not a good thing... |
|
Re-opening, thank you for these reports! |
|
Is 1.12.0 still affected? |
|
@xoxys Yes, 1.12.0 is unfortunately still affected. |
|
This has completedly blocked for me as I am unable to login. It looks like the workaround only works if you are using the default |
|
Seems to successfully process the If I inspect and grab the client token from the |
|
I have an admin login on an alternate path and it also doesn’t work from the GUI. I agree this is a serious issue because we can’t upgrade everywhere for security patches due to not being able to log into our admin accounts.
As a work around, which isn’t great because it requires a CLI, I’ve been getting a token from the CLI oidc method and admin path then pasting it into the token method in the GUI.
|
|
Hi folks! Thanks again for these reports. Our engineering team has assigned this to be investigated soon - ideally next week. Thank you all for your patience, as I know this is frustrating to deal with. |
|
@jeffmccune I'm seeing some issues with alternate mount paths as well but I'm not seeing the original issue on 1.11.3 or 1.12.0. Are you able to provide more information on how you arrive at |
|
@zofskeez The original issue was fixed as it relates to default mount path, but got reopened. I am unsure if the reopening was due to the default mount path again, or the issue with alternative paths. Either way there is definitely an issue with alternative mount paths. I believe @jeffmccune was using alternative path, not default path, and your example is showing successful with default path. |
|
Thanks @driskell. That supports what I am finding. Just want to make sure there wasn't a regression with the original fix. |
|
@zofskeez I have some dev/test clusters which are accessible if you'd like to look at what might be different about my setup. In the meantime, here's the config I'm using: Dex is the oidc provider. Here's the setup, please let me know if this isn't sufficient to reproduce the error and I'll try another approach. Enable the jwt auth method: vault auth enable -path=oidc jwtvault read -format=json auth/oidc/config
{
"request_id": "08f59f51-fd18-e5a1-afa1-63235cd256e7",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"bound_issuer": "",
"default_role": "default",
"jwks_ca_pem": "",
"jwks_url": "",
"jwt_supported_algs": [],
"jwt_validation_pubkeys": [],
"namespace_in_state": true,
"oidc_client_id": "vault.fc9a44ff524e2c6ebf36fbd65b8a51eb",
"oidc_discovery_ca_pem": "",
"oidc_discovery_url": "https://auth.k2.ois.run",
"oidc_response_mode": "",
"oidc_response_types": [],
"provider_config": {}
},
"warnings": null
}vault read -format=json sys/auth/oidc
{
"request_id": "9bee5073-6c0b-ec04-55bb-cb9cdede4e06",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"accessor": "auth_jwt_aced0224",
"config": {
"default_lease_ttl": 0,
"force_no_cache": false,
"listing_visibility": "unauth",
"max_lease_ttl": 0,
"token_type": "default-service"
},
"deprecation_status": "supported",
"description": "k2 cluster standard single sign on for normal access. Use the default role. If you get Authentication failed: role with oidc role_type is not allowed, then use the Other tab and select OIDC to login. See vault issue 14671.",
"external_entropy_access": false,
"local": false,
"options": null,
"plugin_version": "",
"running_plugin_version": "v0.14.0+builtin",
"running_sha256": "",
"seal_wrap": false,
"type": "jwt",
"uuid": "9e701671-41f8-841d-d2c2-0f48ae04afa4"
},
"warnings": null
}Set the default role: vault write auth/oidc/role/default
vault write auth/oidc/role/default -<<EOF
{
"role_type": "oidc",
"user_claim": "email",
"policies": "default",
"ttl": "10h",
"groups_claim": "groups",
"claim_mappings": {
"sub": "sub",
"email": "email",
"name": "name",
"iss": "iss"
},
"oidc_scopes": [
"email",
"profile",
"groups"
],
"bound_claims": {
"groups": [
"vault-admin@ois.run",
"cluster-admin@ois.run",
"cluster-edit@ois.run",
"cluster-view@ois.run"
]
},
"allowed_redirect_uris": [
"http://localhost:8250/oidc/callback",
"https://vault.core.${OIX_ORG_DOMAIN}/ui/vault/auth/oidc/oidc/callback",
"https://vault.${OIX_DNS_DOMAIN}/ui/vault/auth/oidc/oidc/callback",
"https://vault-ui.vault.svc:8200/ui/vault/auth/oidc/oidc/callback"
]
}
EOF |
@zofskeez I get the error for the default role on the default path. I'm also using a second path which does not work, but in a different way. Default path / role:
Alternate path: (Button does nothing)
Note however, both methods work great on the command line: |
|
One last comment, I'm mounting the jwt method at the oidc default path because it's the only method I could find which supports role based groups claims. If I replace vault write auth/oidc/role/default
vault write auth/oidc/role/default -<<EOF
{
"role_type": "oidc",
"user_claim": "email",
"policies": "default",
"ttl": "10h",
"groups_claim": "groups",
"claim_mappings": {
"sub": "sub",
"email": "email",
"name": "name",
"iss": "iss"
},
"oidc_scopes": [
"email",
"profile",
"groups"
],
"bound_claims": {
"groups": [
"vault-admin@ois.run",
"cluster-admin@ois.run",
"cluster-edit@ois.run",
"cluster-view@ois.run"
]
},
"allowed_redirect_uris": [
"http://localhost:8250/oidc/callback",
"https://vault.core.${OIX_ORG_DOMAIN}/ui/vault/auth/oidc/oidc/callback",
"https://vault.${OIX_DNS_DOMAIN}/ui/vault/auth/oidc/oidc/callback",
"https://vault-ui.vault.svc:8200/ui/vault/auth/oidc/oidc/callback"
]
}
EOF |
|
Great thanks @jeffmccune for the detailed response! I have prepared a fix for the alternate path case but the default path and role is interesting. One difference between our setups is that I was enabling the |
TL;DR: Solved, problem was using Yes, this is in fact the problem with my setup. I realized the identity policies weren't working because I disabled the Once I re-created all of my external groups with the correct accessor for the oidc auth type, both the oidc default path and default role in the UI and the CLI work as expected. |
|
As a suggestion, I thought this should work because JWT/OIDC Auth Method mentions:
And:
|
Good to hear! You should have been able to log in with your original config though without seeing the
I'm seeing the same thing as @driskell now when I use the |
|
Summary of issues affecting 1.12.0:
|
|
Hi i am facing the same issue on version 1.12.1, but in my case OIDC was working perfectly on the CLI and UI before enabling MFA with DUO, after MFA was enabled the UI started giving this same error while CLI is working as expected. |
|
Hi all, I have a related issue on 1.11.3 trying to perform JWT login on No issues on the UI with OIDC method, it works as expected. The callback URL ( |
|
@acortes-okode That is unrelated, and is actually Vault functioning as designed. Each role you configure in the OIDC/JWT auth method can be used for OIDC login or JWT login but not both. The role's |
|
Hi, I want to report the same behaviour as described by @santachago, except I am using MFA with TOTP and not with DUO. I get this issue in unauth and other tab. If I disable MFA, UI starts working. CLI works even with MFA. |
|
+1 on the issues seen by @xskrasek and @santachago. Saw issues after enabling duo MFA for my oidc auth method when logging in via the UI. Works via the CLI. |
|
If anyone else is in a similar situation/setup (Duo + AAD), I was able to enable Duo on the Azure AD App end for Vault and circumvent this issue. Also this prevents having to configure and enable Duo on the Vault end. So if anyone is using Azure AD this could provide a potential workaround/solution for you. |
|
I'm going to close this since the original reported issue was fixed in #17661. Please open a new issue for anything else that was mentioned. |
Describe the bug
Starting in 1.10.0, our OIDC login flow will error with
Authentication failed: role with oidc role_type is not allowedThe popup window will go to Microsoft (in my case) which returns a 200, on the page that says "Completing the sign-in process..", it finishes and closes. The main UI updates to say that error.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The login flow should work correctly as in 1.9.4.
Environment:
vault status): 1.10.0Vault server configuration file(s):
Additional context
This worked in the version directly before 1.9.4.
A similar bug happened in 1.8.0 which was a confirmed bug: #12239
And again in 1.9.1: #13460
This is the third bug that has appeared in OIDC login in the past 3 minor releases.
The text was updated successfully, but these errors were encountered: