"'oidc_discovery_url' must be set for OIDC" when trying to use jwks_url

[ptrovatelli]

According the the documentation, https://developer.hashicorp.com/vault/api-docs/auth/jwt#configure we can configure a jwt auth backend with one (and only one) of

• oidc_discovery_url
• jwks_url
• jwt_validation_pubkeys

However, the configuration with jwks_url only is not possible when we're using the client_id / client_secret authentication
Setting (terraform):

resource "vault_jwt_auth_backend" "keycloak" {
  for_each           = toset(var.keycloak_datacenters)
  description        = "Keycloak"
  path               = "oidc-${each.value}"
  type               = "oidc"
  jwks_url = "${var.keycloak_url_backend[each.value]}/auth/realms/master/protocol/openid-connect/certs"
  bound_issuer       = "${var.keycloak_url_frontend[each.value]}/auth/realms/OmCloud"
  oidc_client_id     = var.keycloak_client_id
  oidc_client_secret = var.keycloak_client_secret
  default_role       = "default-keycloak-${each.value}"
  tune {
    default_lease_ttl            = "2h"
    max_lease_ttl                = "8h"
    allowed_response_headers     = []
    audit_non_hmac_request_keys  = []
    audit_non_hmac_response_keys = []
    listing_visibility           = "unauth"
    passthrough_request_headers  = []
    token_type                   = "default-service"
  }
}

When trying to apply this configuration, we get:

│ * 'oidc_discovery_url' must be set for OIDC
│
│   with vault_jwt_auth_backend.keycloak["xxx"],
│   on auth_backend_keycloak.tf line 6, in resource "vault_jwt_auth_backend" "keycloak":
│    6: resource "vault_jwt_auth_backend" "keycloak" {
│

We can see in the source code here: https://github.com/hashicorp/vault-plugin-auth-jwt/blob/main/path_config.go#L279
that this error appears due to client_id being present without OIDCDiscoveryURL

By removing client_id / client_secret we can apply successfully the configuration but of course then it's not working because the jwks_url doesn't provide client_id / client_secret

Tested with vault 1.15.4+ent