OIDC Login via CLI on a Headless Server

Steps

Introduction

The Vault OIDC auth method has CLI parameters available which allow the callback listener to be customized. Utilizing the callbackhost and listenhost parameters, it is possible to achieve the goal of this guide.

Expected Outcome

Upon completion of this guide, it will be possible to login via CLI with OIDC auth on a headless server.

Prerequisites (if applicable)

• Vault v1.5 or later running on the remote server
• Vault OIDC auth method already configured
• Vault CLI on a local machine
• Internet browser on local machine
• Familiarity with operating Vault
• Familiarity with OIDC / OIDC auth method

Use Case

A Vault operator may need to authenticate via OIDC from a remote server which has no internet browser.

Procedure

This guide assumes the OIDC auth method is already configured and servicing logins. This guide will walk through the changes needed to make CLI login via a headless server work.

If OIDC auth has not been set up, please visit OIDC Provider Configuration.

The OIDC Auth Method tutorial linked at the bottom of this guide was used to set up a working example with Auth0 as the provider. The remote server used is an EC2 instance with a public IP.

• Write the role configuration, adding the IP to the remote server as an allowed redirect URI:

  • vault write auth/oidc/role/reader \
      bound_audiences="$AUTH0_CLIENT_ID" \
      allowed_redirect_uris="http://localhost:8250/oidc/callback" \
      allowed_redirect_uris="http://<PUBLIC DNS of EC2 instance>:8200/ui/vault/auth/oidc/oidc/callback" \
      allowed_redirect_uris="http://<PUBLIC DNS of EC2 instance>:8250/oidc/callback" \
      user_claim="sub" \
      policies="reader"

The above example role config includes three redirect URIs. The first two allow CLI and UI login on the remote host. The third allows CLI login from a local machine to the remote host.

• Add the same three URIs to the list of allowed callback URLs in your OIDC provider.
  
   

• Perform the CLI login from the remote server:

  • vault login -method=oidc role="reader" \
      listenaddress="<PUBLIC DNS of EC2 instance>" \
      callbackhost="<PUBLIC DNS of EC2 instance>" \
      skip_browser=true

Note: In the above login command, it is not necessary to include the method (http/https) or the port.

Response:

Complete the login via your OIDC provider. Open the following link in your browser:
https://foo.us.auth0.com/authorize?client_id=XXXxXXXxXXX&code_challenge=XXXxXXXxXXX&code_challenge_method=S256&nonce=XXXxXXXxXXX&redirect_uri=http%3A%2F%2Fec2-12-34-567-890.us-west-2.compute.amazonaws.com%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid&state=XXXxXXXxXXX

• Copy/Paste the URL provided in the response in to the browser on your local machine.
   

• The Vault UI will display the message:

  Signed in via your OIDC provider You can now close this window and start using Vault.

• The remote CLI will complete authentication with this output:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                  Value
---                  -----
token                hvs.XXXxXXXxXXX
token_accessor       8FGGWTMFVvaWfAI6MlVUJhHI
token_duration       768h
token_renewable      true
token_policies       ["reader" "default"]
identity_policies    []
policies             ["reader" "default"]
token_meta_role      default

Additional Information

• OIDC Auth Method Documentation

• OIDC Auth Method Tutorial

• OIDC Provider Configuration