search

hashicorp / vault-plugin-auth-jwt

A Vault plugin to allow authentication via JWT (and OIDC) tokens
Mozilla Public License 2.0
99 stars 60 forks source link

oidc login failes with wrap-ttl flag set #312

Open karlhungus opened 1 month ago

karlhungus commented 1 month ago

When making login calls for oidc adding ex: -wrap-ttl=5m to the command causes the following failure

Error

➜ vault login -method="oidc"  -wrap-ttl="5m"
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc0027fd2c0, {0x0, 0x0}, {0xc003430690, 0x5}, {0xa914ee2, 0x4}, {0xa914cae, 0x4}, {0xa92388d, ...})
        /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/hashicorp/vault-plugin-auth-jwt@v0.16.0/cli.go:234 +0x47d
github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0xc0027fd2c0?, 0xc0027fd2c0, 0xc003443b30)
        /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/hashicorp/vault-plugin-auth-jwt@v0.16.0/cli.go:118 +0x4b9
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc00343c140, {0xc0001a0160, 0x2, 0x2})
        /private/tmp/vault-20230929-6403-1ycfjj9/command/login.go:228 +0x5b7
github.com/mitchellh/cli.(*CLI).Run(0xc0027a9900)
        /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/mitchellh/cli@v1.1.5/cli.go:262 +0x5b8
github.com/hashicorp/vault/command.RunCustom({0xc0001a0150?, 0x3?, 0x3?}, 0xc0000061a0?)
        /private/tmp/vault-20230929-6403-1ycfjj9/command/main.go:241 +0x9fd
github.com/hashicorp/vault/command.Run(...)
        /private/tmp/vault-20230929-6403-1ycfjj9/command/main.go:145
main.main()
        /private/tmp/vault-20230929-6403-1ycfjj9/main.go:19 +0x47

Appears to originate here: https://github.com/hashicorp/vault-plugin-auth-jwt/blob/release/vault-1.16.x/cli.go#L234, my guess is that the wrapped token doesn't have an auth url because it's wrapping an earlier reponse.

cli version

➜ vault -version
Vault v1.14.4 ('ccdd48d1f7b95fc99fd11d67fc1c687576b338de+CHANGES'), built 2023-09-22T21:29:05Z

Background (probably unrelated to this plugin)

My intent was to open vault ui with a wrapped token saving users from copying and pasting the token i.e.: /ui/vault/auth?with=token&wrapped_token=${wrapped_token}.

I couldn't find any documentation on how to wrap an oidc token via say curl requests for oidc to allow manually fetching the token and opening the ui directly with The jwt version of this is:

❯ curl -ks -X POST -H 'Content-Type: application/json' -H 'x-vault-wrap-ttl: 15m' -d '{
  "role":"xyz",
  "jwt":"jwttoken"}
}' https://localhost:34804/v1/auth/jwt/login

but oidc equivilents don't seem to work.

karlhungus commented 1 month ago

This appears on latest vault as well:

❯ vault -version
Vault v1.17.2 (2af5655e364f697a15b1dc2db2c3f85f6ef949f2), built 2024-07-05T15:19:12Z
➜ vault login -wrap-ttl=15m  -tls-skip-verify -method=oidc -token-only
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc0034e1a20, {0x7ff7b8f93ca9, 0xb}, {0xc002be6c40, 0x5}, {0xfb201b5, 0x4}, {0xfb1ff01, 0x4}, {0xfb2edfe, ...})
        /home/runner/go/pkg/mod/github.com/hashicorp/vault-plugin-auth-jwt@v0.21.0/cli.go:234 +0x47d
github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0xc0034e1a20?, 0xc0034e1a20, 0xc0037b0300)
        /home/runner/go/pkg/mod/github.com/hashicorp/vault-plugin-auth-jwt@v0.21.0/cli.go:118 +0x4a7
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc003786690, {0xc0001e21e0, 0x5, 0x5})
        /home/runner/work/vault/vault/command/login.go:228 +0x5b7
github.com/hashicorp/cli.(*CLI).Run(0xc003788dc0)
        /home/runner/go/pkg/mod/github.com/hashicorp/cli@v1.1.6/cli.go:265 +0x5b8
github.com/hashicorp/vault/command.RunCustom({0xc0001e21d0?, 0x6?, 0x6?}, 0xc0000061c0?)
        /home/runner/work/vault/vault/command/main.go:243 +0x9a6
github.com/hashicorp/vault/command.Run(...)
        /home/runner/work/vault/vault/command/main.go:147
main.main()
        /home/runner/work/vault/vault/main.go:13 +0x47
karlhungus commented 1 month ago

For people looking to work around this you can force the token to wrap itself by using renew

export VAULT_TOKEN=$(vault login -address="https://127.0.0.1/:${LOCALPORT}" -method=oidc -token-only -tls-skip-verify role="${ROLE}")
wrapped_token=$(vault token renew -wrap-ttl="5m" -address="https://127.0.0.1/:${LOCALPORT}" -tls-skip-verify -format=json | jq -r .wrap_info.token)