vault: revert to confidential client, Web UI only (no CLI)

terraform/vault/approle.tf

@@ -106,6 +106,7 @@ locals {
         "secret/data/hosts/kanidm01/*",
         "secret/data/kanidm/*",
         "secret/data/services/grafana/*",
+        "secret/data/services/openbao/*",
       ]
     }
 

terraform/vault/oidc.tf

@@ -1,10 +1,11 @@
 # OIDC authentication backend for Kanidm integration
-# Using a public client (no secret) to support CLI localhost redirects
+# Web UI only - CLI localhost redirects not supported with confidential clients
 resource "vault_jwt_auth_backend" "oidc" {
   path               = "oidc"
   type               = "oidc"
   oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
   oidc_client_id     = "openbao"
+  oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
   default_role       = "default"
 
   tune {
@@ -27,7 +28,6 @@ resource "vault_jwt_auth_backend_role" "admin" {
   role_type    = "oidc"
 
   allowed_redirect_uris = [
-    "http://localhost:8250/oidc/callback",
     "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
   ]
 }
@@ -43,7 +43,6 @@ resource "vault_jwt_auth_backend_role" "default" {
   role_type    = "oidc"
 
   allowed_redirect_uris = [
-    "http://localhost:8250/oidc/callback",
     "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
   ]
 }

terraform/vault/secrets.tf

@@ -115,6 +115,11 @@ locals {
       password_length = 64
     }
 
+    # OpenBao OAuth2 client secret (for Kanidm OIDC)
+    "services/openbao/oauth2-client-secret" = {
+      auto_generate   = true
+      password_length = 64
+    }
 
     # NKey for nixos-exporter NATS cache sharing
     "shared/nixos-exporter/nkey" = {