OIDC login doesn't work as expected

[tmatilai]

Hi,

There seems to be two issues for me with the long waited OIDC login feature introduced in #1615.

1. Initialization check seems to be inverted if I get it right. Just adding the auth_login_oidc block results in

   Error: auth login already initiailized
   

   A PR to fix this: Fix OIDC login initialization check #1628

2. Even with the previous issue fixed, the provider gets stuck in the authentication phase.

   Debug log shows that Vault guided to go to an IdP URL, but the URL is not shown to the user. Or even better, the provider should open the link in a browser like the vault CLI does. Manually opening the link works, and the provider gets authenticated.

   Or am I missing something how this should work?

Terraform Version

Terraform v1.3.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/vault v3.9.1

Terraform Configuration Files

provider "vault" {
  address   = var.vault_address
  namespace = "admin"

  auth_login_oidc {
    namespace = "admin"
    role      = "admin"
  }
}

Debug Output

(Hopefully) essential part of the debug output

[...]
2022-10-07T14:32:48.149+0300 [INFO]  provider.terraform-provider-vault: configuring server automatic mTLS: timestamp=2022-10-07T14:32:48.148+0300
2022-10-07T14:32:48.168+0300 [DEBUG] provider: using plugin: version=5
2022-10-07T14:32:48.168+0300 [DEBUG] provider.terraform-provider-vault: plugin address: address=/var/folders/y8/jxd_mkn526jcfcbrjvp8zhxc0000gq/T/plugin3629983298 network=unix timestamp=2022-10-07T14:32:48.168+0300
2022-10-07T14:32:48.204+0300 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/hashicorp/vault\"]" changed the config value, but that value is unused
2022-10-07T14:32:48.205+0300 [INFO]  provider.terraform-provider-vault: 2022/10/07 14:32:48 [DEBUG] Vault API Request Details:
---[ REQUEST ]---------------------------------------
PUT /v1/auth/oidc/oidc/auth_url HTTP/1.1
Host: [VAULT_ADDRESS_REDACTED]
User-Agent: Go-http-client/1.1
Content-Length: 107
X-Vault-Namespace: admin
X-Vault-Request: true
Accept-Encoding: gzip


-----------------------------------------------------: timestamp=2022-10-07T14:32:48.205+0300
2022-10-07T14:32:48.398+0300 [INFO]  provider.terraform-provider-vault: 2022/10/07 14:32:48 [DEBUG] Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Content-Length: 562
Cache-Control: no-store
Content-Type: application/json
Date: Fri, 07 Oct 2022 11:32:48 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Vault-Namespace: admin


-----------------------------------------------------: timestamp=2022-10-07T14:32:48.398+0300
2022-10-07T14:32:48.399+0300 [WARN]  unexpected data: registry.terraform.io/hashicorp/vault:stderr="Complete the login via your OIDC provider. Open the following link in your browser:

    https://[IDP_AUTHORIZATION_REQUEST_WITH_CORRECT_CALLBACK]


Waiting for OIDC authentication to complete..."

References

• Add first-class OIDC andJWT login support #1615

[tmatilai]

Seems to work in v3.10.0 🎉
Thanks a lot, @benashz!

[benashz]

Thanks @tmatilai! That's great to hear!