vault icon indicating copy to clipboard operation
vault copied to clipboard
verified publisher icon hashicorp

OIDC login flow can't complete with AWS Cognito

Open alkersan opened this issue 1 year ago • 0 comments

I've configured Vault with OIDC auth method with AWS Cognito provider. The login fails at the very end of the flow, when the popup window is trying to post back the auth code message to the parent window. I believe this is due to the same reason as described in #18648 , i.e. when redirected to cognito login portal - it sets Cross-Origin-Opener-Policy: same-origin, which prevents posting messages across windows.

To Reproduce

  1. Configure OIDC auth method using AWS Cognito as provider. It's pretty generic, all required claims are included in the jwt and supposed to work even with external group mapping
  2. Try to login with OIDC from web UI
  3. Get an error Cannot read properties of null (reading 'postMessage'), which can be traced back here Screenshot 2024-04-22 at 20 11 09
  4. Screen recording is below

https://github.com/hashicorp/vault/assets/527045/d2f92ebf-e506-4513-a65d-1fda6d0eb9a6

Environment:

  • Vault Server Version (retrieve with vault status): 1.16.1
  • Vault CLI Version (retrieve with vault version): 1.16.1 (6b5986790d7748100de77f7f127119c4a0f78946), built 2024-04-03T12:35:53Z
  • Server Operating System/Architecture: Debian 12 (bookworm), Linux 6.6.20

Additional context Logging in from CLI (vault login -method=oidc -path=cognito) is working fine

alkersan avatar Apr 23 '24 00:04 alkersan