Vault OIDC flow breaks fails to prompt users to login when their client tokens have expired #27772
Description
Describe the bug
In older versions of vault a user would be prompted to log back into Vault when their Web UI client token had expired.
Newer versions of vault do not prompt users to log back in, instead they just send an error message back to the oauth client that initiated the OIDC auth flow.
This is annoying because I have to tell those using our vault deployment that they need to go and manually log into vault before they can use any application we have OIDC enabled on.
To Reproduce
Steps to reproduce the behavior:
Run two versions of vault:
- a version of vault where this was not an issue: 1.15.6
- a recent version of vault where OIDC flows are busted: 1.17.2 (I think it broke in 1.16)
I have an example docker-compose.yml that I have been using to reproduce this issue
I also have a terraform file (main.tf) that I use to quickly configure the dev vault instances in a similar way.
This terraform state does the following:
- setup a vault user + userpass
- configure vault to allow CORS from an OIDC Debugging service (https://oidcdebugger.com/)
- add a public oidc client for the OIDC debugger
For my testing I do the following:
# start the two versions of vault
[~]$ docker compose up
# configure terraform
[~]$ terraform init \
; terraform workspace new broken \
; terraform workspace new working
# bootstrap the older version of vault that wasn't busted (v1.15.6)
[~]$ terraform workspace select working
[~]$ terraform apply -var=vault_addr=http://localhost:8200
# bootstrap a more modern version where vault appears busted
[~]$ terraform workspace select broken
[~]$ terraform apply -var=vault_addr=http://localhost:8201I then open two tabs of https://oidcdebugger.com/ and fill out the required information to test out the OIDC provider feature of Vault.
I then login to the vault ui for both versions using the test creds user:password
and manually revoke their web ui client tokens (this is so I don't need to wait for them to naturally expire)
[~]$ vault token revoke \
-address=http://localhost:8200 \
hvs....
[~]$ vault token revoke \
-address=http://localhost:8201 \
hvs....I then start the OIDC flow in both of my OIDC debugger tabs.
You'll see that the older version of vault will prompt you to login again, and if you enter the test creds again vault will complete the OIDC flow and the OIDC debugger will be happy.
In the modern version of Vault the vault ui will flash by in an instant as you are imidetily redirected back to the OIDC debugger with an error saying your client token is not valid.
Expected behavior
Vault should prompt the user to re authenticate to vault when an OIDC client redirects a user to Vault to complete an auth flow and their vault web ui client token has expired like it did in previous versions of Vault.
Environment:
- Vault Server Version (retrieve with
vault status): 1.17.2 - Vault CLI Version (retrieve with
vault version): 1.17.2 - Server Operating System/Architecture: Linux
Vault server configuration file(s):
-dev is enough to showcase this issue.
Additional context
n/a