Skip to content

Commit f2e698f

Browse files
nadilasnadilas
committed
fix: correct OIDC auth_url and callback API paths
The Vault OIDC JWT plugin registers routes under an internal oidc/ prefix within the mount point. When mounted at "oidc", the correct paths are auth/oidc/oidc/auth_url and auth/oidc/oidc/callback — not auth/oidc/auth_url and auth/oidc/callback. Also switch the callback from Write (PUT) to ReadWithData (GET) to match the official vault CLI behaviour, fixing HTTP 405 errors.
1 parent ae4b047 commit f2e698f

File tree

1 file changed

+11
-8
lines changed

1 file changed

+11
-8
lines changed

internal/vault/oidc.go

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -58,15 +58,16 @@ func OIDCAuth(client *Client, role string) error {
5858
return nil
5959
}
6060

61-
// requestAuthURL calls Vault's auth/oidc/auth_url endpoint to get the URL
62-
// the user must visit to authenticate.
61+
// requestAuthURL calls Vault's auth/oidc/oidc/auth_url endpoint to get the URL
62+
// the user must visit to authenticate. The path is mount ("oidc") + plugin
63+
// route ("oidc/auth_url"), matching the official vault CLI behaviour.
6364
func requestAuthURL(client *Client, role string, redirectURI string) (string, string, error) {
6465
data := map[string]interface{}{
6566
"role": role,
6667
"redirect_uri": redirectURI,
6768
}
6869

69-
secret, err := client.inner.Logical().Write("auth/oidc/auth_url", data)
70+
secret, err := client.inner.Logical().Write("auth/oidc/oidc/auth_url", data)
7071
if err != nil {
7172
return "", "", fmt.Errorf("requesting OIDC auth URL: %w", err)
7273
}
@@ -132,14 +133,16 @@ func waitForCallback(listener net.Listener) (*oidcCallbackResult, error) {
132133
}
133134

134135
// exchangeOIDCCode exchanges the authorization code and state for a Vault token.
136+
// The callback endpoint expects a GET (ReadWithData), not a PUT/POST, matching
137+
// the official vault CLI behaviour.
135138
func exchangeOIDCCode(client *Client, code string, state string, clientNonce string) (string, error) {
136-
data := map[string]interface{}{
137-
"code": code,
138-
"state": state,
139-
"client_nonce": clientNonce,
139+
data := map[string][]string{
140+
"code": {code},
141+
"state": {state},
142+
"client_nonce": {clientNonce},
140143
}
141144

142-
secret, err := client.inner.Logical().Write("auth/oidc/callback", data)
145+
secret, err := client.inner.Logical().ReadWithData("auth/oidc/oidc/callback", data)
143146
if err != nil {
144147
return "", fmt.Errorf("exchanging OIDC code for token: %w", err)
145148
}

0 commit comments

Comments
 (0)