Segfault on oidc login

[MrBlaise]

Describe the bug
When I try to run vault login -method=oidc it gives me the following message:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x1ced39b]

goroutine 1 [running]:
github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc00023d650, 0x0, 0x0, 0xc000563919, 0x5, 0x3749781, 0x4, 0x385f1f8, 0xc000697a78, 0x1061f9e, ...)
	/gopath/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go:118 +0x30b
github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0x594bfb8, 0xc00023d650, 0xc000657e90, 0x0, 0x0, 0x0)
	/gopath/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go:50 +0x29a
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc0000d5cc0, 0xc0000a4050, 0x0, 0x0, 0xc00061d0e0)
	/gopath/src/github.com/hashicorp/vault/command/#.go:219 +0x3e3
github.com/hashicorp/vault/vendor/github.com/mitchellh/cli.(*CLI).Run(0xc00025b540, 0xc00025b540, 0xc00061d120, 0xc00061d020)
	/gopath/src/github.com/hashicorp/vault/vendor/github.com/mitchellh/cli/cli.go:255 +0x207
github.com/hashicorp/vault/command.RunCustom(0xc0000a4040, 0x2, 0x2, 0xc0000d5a40, 0x0)
	/gopath/src/github.com/hashicorp/vault/command/main.go:177 +0x5e4
github.com/hashicorp/vault/command.Run(0xc0000a4040, 0x2, 0x2, 0xc000094058)
	/gopath/src/github.com/hashicorp/vault/command/main.go:87 +0x48
main.main()
	/gopath/src/github.com/hashicorp/vault/main.go:10 +0x62

It used to work before. The things I changed: upgraded to 1.1.3 (both server and client), removed custom self signed cert from the server (and the env variable VAULT_CAPATH) from my local client.

After some tries it starts to work somewhat, it logs me in but fails to print out the credentials I've got. Example:

Complete the login via your OIDC provider. Launching browser to:

    https://redacted/authorize?client_id=redacted&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid&state=redacted


Error extracting token: empty response from auth helper

To Reproduce
Steps to reproduce the behavior:

1. Run vault login -method=oidc
2. See error

Expected behavior
Should not segfault, log me in, print out the policies etc. I have access to.

Environment:

• Vault Server Version (retrieve with vault status): 1.1.3
• Vault CLI Version (retrieve with vault version): 1.1.3
• Server Operating System/Architecture: MacOS

UPDATE:
In my particular case I have introduced istio when I upgraded vault and it caused some rpc calls to fail and that caused the sigsegv in the cli.

[MrBlaise]

Tried to downgrade the cli to 1.1.2 and I've got the same error. Maybe the server version causes this?

[kalafut]

While it shouldn't crash and we'll get that fixed, where it is crashing is pretty much the end of the process anyway, and the CLI doesn't have a valid authorization from the Vault server. What do the server logs say when you attempt the login?

[MrBlaise]

I figured it out. I am running vault on kubernetes and I also have istio installed and it caused the issue. The log was the following:

2019-06-19T14:27:35.099Z [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing EOF""
2019-06-19T14:27:35.099Z [ERROR] core: forward request error: error="error during forwarding RPC request"

I am not sure why was this at the moment. Disabling istio solves it.

UPDATE: I tried reenabling istio without mutual tls but I still have the problem, seems like I have to somehow tell istio to ignore these rpc calls probably.

[kalafut]

Glad you're making progress. I have no experience with Istio, but the Vault newsgroup might. In any case, we'll get this panic fixed. At least then you would have been shown a message with next steps: Unable to authorize role %q. Check Vault logs for more information.

Since the CLI is external to the Vault server, it really has no more details in cases like these.

[kalafut]

That said, it is interesting that this started appearing when you changed up your Vault version/config. I'll let the team know as I would be curious to know if other aspects of Vault might show similar symptoms.

[MrBlaise]

@kalafut It is most definitely istio I forgot that I have introduced it as well when I upgraded vault. So it is not an issue on vault's side (well the sigsegv was ugly but that's all)

[kalafut]

@MrBlaise Thanks for that context.