Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect URL listener bind should be configurable #29064

Open
wandergeek opened this issue Dec 2, 2024 · 1 comment
Open

Redirect URL listener bind should be configurable #29064

wandergeek opened this issue Dec 2, 2024 · 1 comment

Comments

@wandergeek
Copy link

Is your feature request related to a problem? Please describe.
When doing an oidc vault login, the listener for the response will only receive on localhost. This behavior is mostly fine, except when trying to perform authorization within a container. The response to the listener fails because its bound to the local container interface and won't allow connections from the host.

Describe the solution you'd like
It would be nice if we could bind the 8250 listener on 0.0.0.0 as a configurable switch. This would allow the response from the OIDC provider to filter through to the container.

Describe alternatives you've considered
An alternative solution would be to allow alternative ports in the redirect_uris configuration and do some kind of forwarding via socat or otherwise. This is obviously kludgy and prone to failure.

Explain any additional use-cases
This could help customers test their solutions in containerized environments.

Additional context

Current

> vault login -token-only -method='oidc'
> netstat -tuln
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:8250          0.0.0.0:*               LISTEN  

Proposed

> vault login -token-only -method='oidc' bind=0.0.0.0
> netstat -tuln
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:8250          0.0.0.0:*               LISTEN  
@wandergeek
Copy link
Author

BTW, I was able to work around this by upgrading my local docker installation which finally provides host networking on mac OS (v4.36.0). I still think this could be a useful feature, but feel free to close this if this is not of interest to you. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants