You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When doing an oidc vault login, the listener for the response will only receive on localhost. This behavior is mostly fine, except when trying to perform authorization within a container. The response to the listener fails because its bound to the local container interface and won't allow connections from the host.
Describe the solution you'd like
It would be nice if we could bind the 8250 listener on 0.0.0.0 as a configurable switch. This would allow the response from the OIDC provider to filter through to the container.
Describe alternatives you've considered
An alternative solution would be to allow alternative ports in the redirect_uris configuration and do some kind of forwarding via socat or otherwise. This is obviously kludgy and prone to failure.
Explain any additional use-cases
This could help customers test their solutions in containerized environments.
Additional context
Current
> vault login -token-only -method='oidc'
> netstat -tuln
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8250 0.0.0.0:* LISTEN
BTW, I was able to work around this by upgrading my local docker installation which finally provides host networking on mac OS (v4.36.0). I still think this could be a useful feature, but feel free to close this if this is not of interest to you. Thanks!
Is your feature request related to a problem? Please describe.
When doing an
oidc
vault login, the listener for the response will only receive on localhost. This behavior is mostly fine, except when trying to perform authorization within a container. The response to the listener fails because its bound to the local container interface and won't allow connections from the host.Describe the solution you'd like
It would be nice if we could bind the
8250
listener on0.0.0.0
as a configurable switch. This would allow the response from the OIDC provider to filter through to the container.Describe alternatives you've considered
An alternative solution would be to allow alternative ports in the
redirect_uris
configuration and do some kind of forwarding viasocat
or otherwise. This is obviously kludgy and prone to failure.Explain any additional use-cases
This could help customers test their solutions in containerized environments.
Additional context
Current
Proposed
The text was updated successfully, but these errors were encountered: