Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault Logout always default to token auth method on login page #10816

Closed
agaudreault opened this issue Feb 1, 2021 · 8 comments
Closed

Vault Logout always default to token auth method on login page #10816

agaudreault opened this issue Feb 1, 2021 · 8 comments
Labels
enhancement feature-request ui

Comments

@agaudreault
Copy link

agaudreault commented Feb 1, 2021
edited
Loading

Describe the bug
We use Vault with an OIDC provider. By default, when the user browse to /ui, it gets redirected to /ui/vault/auth?with=oidc%2F.

However, when the token expires or the user sign out with /ui/vault/logout, then it redirects to /ui/vault/auth?with=token causing the login page to show the token tab instead of the oidc/ one.

Unauthenticated After logout
/ui/vault/auth?with=oidc%2F /ui/vault/auth?with=token
image image

To Reproduce
Steps to reproduce the behavior:

  1. Configure OIDC backend at oidc/
  2. Tune OIDC backend with vault auth tune -listing-visibility="unauth" oidc/
  3. Login with OIDC
  4. Click signout

Expected behavior
The same default auth page is shown. In our case, oidc/.

Environment:

  • Vault Server Version (retrieve with vault status): 1.5.4

Vault oidc backend configuration:

vault auth enable oidc

vault write auth/oidc/config \
    oidc_discovery_url="https://login.microsoftonline.com/$TENANT_SECRET/v2.0" \
    oidc_client_id="$CLIENT_ID" \
    oidc_client_secret="$CLIENT_SECRET" \
    default_role="oidc-default"

vault write auth/oidc/role/oidc-default \
    bound_audiences="$CLIENT_ID" \
    allowed_redirect_uris="$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="http://localhost:8250/oidc/callback" \
    oidc_scopes="profile email https://graph.microsoft.com/.default" \
    user_claim="preferred_username" \
    claim_mappings="name=name" \
    claim_mappings="email=email" \
    groups_claim="groups" \
    ttl="12h" \
    token_explicit_max_ttl="12h" \
    policies=""

vault auth tune \
    -listing-visibility="unauth" \
    -description="Login with your Corporate account" \
    oidc/

Additional information
When I look at the network trace in the debug console during the login flow, the referer is /ui/vault/auth?with=oidc%2F up to the /v1/auth/token/lookup-self, then it switches to /ui/vault/auth?with=token for the next call to /v1/sys/internal/ui/resultant-acl.
@erickufrin-okta
Copy link

+1

This creates confusion for our users. Its compounded by the fact that we use okta and have both okta-oidc and legacy okta auth method enabled at same time.

Because of timeouts our users are lead towards Other and the 'okta' method in that drop down.

@saikatharryc
Copy link

+1

2 similar comments
@frank-berlin
Copy link

+1

@voiprodrigo
Copy link

+1

@NagenderPulluri
Copy link

+1

1 similar comment
@bmoleda
Copy link

bmoleda commented Dec 13, 2022

+1

@hellobontempo
Copy link
Contributor

Relates to Vault UI Feature Request: Don't Show all login methods in Vault UI Login Page#9076

@hashishaw
Copy link
Collaborator

I believe this was fixed as part of #14916 (version 1.10.1 and later). Closing, but please feel free to reopen if the issue comes up again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement feature-request ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests