Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oidc login failes with wrap-ttl flag set #312

Open
karlhungus opened this issue Jul 30, 2024 · 2 comments
Open

oidc login failes with wrap-ttl flag set #312

karlhungus opened this issue Jul 30, 2024 · 2 comments

Comments

@karlhungus
Copy link

When making login calls for oidc adding ex: -wrap-ttl=5m to the command causes the following failure

Error

➜ vault login -method="oidc"  -wrap-ttl="5m"
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc0027fd2c0, {0x0, 0x0}, {0xc003430690, 0x5}, {0xa914ee2, 0x4}, {0xa914cae, 0x4}, {0xa92388d, ...})
        /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/hashicorp/[email protected]/cli.go:234 +0x47d
github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0xc0027fd2c0?, 0xc0027fd2c0, 0xc003443b30)
        /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/hashicorp/[email protected]/cli.go:118 +0x4b9
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc00343c140, {0xc0001a0160, 0x2, 0x2})
        /private/tmp/vault-20230929-6403-1ycfjj9/command/login.go:228 +0x5b7
github.com/mitchellh/cli.(*CLI).Run(0xc0027a9900)
        /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/mitchellh/[email protected]/cli.go:262 +0x5b8
github.com/hashicorp/vault/command.RunCustom({0xc0001a0150?, 0x3?, 0x3?}, 0xc0000061a0?)
        /private/tmp/vault-20230929-6403-1ycfjj9/command/main.go:241 +0x9fd
github.com/hashicorp/vault/command.Run(...)
        /private/tmp/vault-20230929-6403-1ycfjj9/command/main.go:145
main.main()
        /private/tmp/vault-20230929-6403-1ycfjj9/main.go:19 +0x47

Appears to originate here: https://github.com/hashicorp/vault-plugin-auth-jwt/blob/release/vault-1.16.x/cli.go#L234, my guess is that the wrapped token doesn't have an auth url because it's wrapping an earlier reponse.

cli version

➜ vault -version
Vault v1.14.4 ('ccdd48d1f7b95fc99fd11d67fc1c687576b338de+CHANGES'), built 2023-09-22T21:29:05Z

Background (probably unrelated to this plugin)

My intent was to open vault ui with a wrapped token saving users from copying and pasting the token i.e.: /ui/vault/auth?with=token&wrapped_token=${wrapped_token}.

I couldn't find any documentation on how to wrap an oidc token via say curl requests for oidc to allow manually fetching the token and opening the ui directly with The jwt version of this is:

❯ curl -ks -X POST -H 'Content-Type: application/json' -H 'x-vault-wrap-ttl: 15m' -d '{
  "role":"xyz",
  "jwt":"jwttoken"}
}' https://localhost:34804/v1/auth/jwt/login

but oidc equivilents don't seem to work.

@karlhungus
Copy link
Author

This appears on latest vault as well:

❯ vault -version
Vault v1.17.2 (2af5655e364f697a15b1dc2db2c3f85f6ef949f2), built 2024-07-05T15:19:12Z
➜ vault login -wrap-ttl=15m  -tls-skip-verify -method=oidc -token-only
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc0034e1a20, {0x7ff7b8f93ca9, 0xb}, {0xc002be6c40, 0x5}, {0xfb201b5, 0x4}, {0xfb1ff01, 0x4}, {0xfb2edfe, ...})
        /home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/cli.go:234 +0x47d
github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0xc0034e1a20?, 0xc0034e1a20, 0xc0037b0300)
        /home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/cli.go:118 +0x4a7
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc003786690, {0xc0001e21e0, 0x5, 0x5})
        /home/runner/work/vault/vault/command/login.go:228 +0x5b7
github.com/hashicorp/cli.(*CLI).Run(0xc003788dc0)
        /home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/cli.go:265 +0x5b8
github.com/hashicorp/vault/command.RunCustom({0xc0001e21d0?, 0x6?, 0x6?}, 0xc0000061c0?)
        /home/runner/work/vault/vault/command/main.go:243 +0x9a6
github.com/hashicorp/vault/command.Run(...)
        /home/runner/work/vault/vault/command/main.go:147
main.main()
        /home/runner/work/vault/vault/main.go:13 +0x47

@karlhungus
Copy link
Author

For people looking to work around this you can force the token to wrap itself by using renew

export VAULT_TOKEN=$(vault login -address="https://127.0.0.1/:${LOCALPORT}" -method=oidc -token-only -tls-skip-verify role="${ROLE}")
wrapped_token=$(vault token renew -wrap-ttl="5m" -address="https://127.0.0.1/:${LOCALPORT}" -tls-skip-verify -format=json | jq -r .wrap_info.token)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant