failed to parse server response using OIDC with Hashicorp Vault as provider

T

thecurseofrng

New Member
May 2, 2022
10
0
1
Paris, France
I'm having issues configuring Hashicorp Vault as an OIDC realm provider for PVE. Once configured, I'm getting the following error when I try to login:

Code: 
OpenID redirect failed.
Failed to parse server response (500)

This is the realm configuration:

Code: 
openid: vault
    client-id <REDACTED>
    issuer-url https://vault.<REDACTED>/v1/identity/oidc/provider/default
    autocreate 1
    client-key hvo_secret_<REDACTED>
    default 0
    username-claim username

And this is what the well-known configuration URL gives:

JSON: 
{
  "issuer": "https://vault.<REDACTED>/v1/identity/oidc/provider/default",
  "jwks_uri": "https://vault.<REDACTED>/v1/identity/oidc/provider/default/.well-known/keys",
  "authorization_endpoint": "https://vault.<REDACTED>/ui/vault/identity/oidc/provider/default/authorize",
  "token_endpoint": "https://vault.<REDACTED>/v1/identity/oidc/provider/default/token",
  "userinfo_endpoint": "https://vault.<REDACTED>/v1/identity/oidc/provider/default/userinfo",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "EdDSA"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "email",
    "groups",
    "profile",
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ],
  "grant_types_supported": [
    "authorization_code"
  ],
  "token_endpoint_auth_methods_supported": [
    "none",
    "client_secret_basic",
    "client_secret_post"
  ]
}

This URL is the only one requested to Vault before triggering the error.

Now, I've already tried a few things since the basic Vault provider is very bare-bone. Namely, I've had to create the email and profile scopes myself, after reading somewhere in this forum they were required (this should probably be mentioned in the documentation wiki, along with the specific fields PVE actually uses).

Bash: 
# Create the email scope
EMAIL_SCOPE_TEMPLATE='{
    "email": {{identity.entity.metadata.email}}
}'

vault write identity/oidc/scope/email \
    description="The email scope provices the standard email claims using Vault identity entity metadata" \
    template="$(echo ${EMAIL_SCOPE_TEMPLATE} | base64 -)"

# Create the profile scope
PROFILE_SCOPE_TEMPLATE='{
    "name": {{identity.entity.metadata.name}},
    "family_name": {{identity.entity.metadata.family_name}},
    "given_name": {{identity.entity.metadata.given_name}},
    "preferred_username": {{identity.entity.name}}
}'

vault write identity/oidc/scope/profile \
    description="The profile scope provices the standard profile claims using Vault identity entity metadata" \
    template="$(echo ${PROFILE_SCOPE_TEMPLATE} | base64 -w 0 -)"

# Create the group scope
GROUPS_SCOPE_TEMPLATE='{
    "groups": {{identity.entity.groups.names}}
}'

vault write identity/oidc/scope/groups \
    description="The groups scope provides the groups claim using Vault group membership" \
    template="$(echo ${GROUPS_SCOPE_TEMPLATE} | base64 -)"

# Add all those scopes to the default provider
vault write identity/oidc/provider/default \
    scopes_supported="email,profile,groups"

What is not clear, however, is the exact fields expected from the email and profile scopes by PVE, since I'm not terribly familiar with OIDC yet. Can I just file the one I need, or do I need to add blank variables for every single one listed in the spec? Anyway, since no authentication request is ever actually made, I'm doubtful this is my issue here.

Just to list everything, this is also how I did the client setup on Vault:

Bash: 
vault write identity/oidc/client/proxmox-<REDACTED> \
    redirect_uris="https://px1.<REDACTED>:8006" \
    assignments="allow_all"

And this is the output I get for the client config data:

Code: 
Key                 Value
---                 -----
access_token_ttl    24h
assignments         [allow_all]
client_id           <REDACTED>
client_secret       hvo_secret_<REDACTED>
client_type         confidential
id_token_ttl        24h
key                 default
redirect_uris       [https://px1.<REDACTED>:8006]
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom