Vault Okta Plugin Fails to Support Custom Domains for Authentication (Malformed base_URLs)

[brokedba]

Describe the bug
The Vault Okta plugin incorrectly forms the API endpoint when both base_url and org_name are used. It treats org_name as a subdomain and appends it incorrectly to the base_url. This results in a malformed URL when using a custom Okta domain.

For example:

Configured:
base_url

"https://sso.MyCustomDomain.ca" 

org_name

"dev-123456"

Expected:

https://sso.MyCustomDomain.ca/api/v1/authn

Actual: when trying to login with a user

$ vault login -method=okta   username="[email protected]"   password="NoCanDo" 

Okta auth failed: Post "https://dev-123456.sso.MyCustomDomain.ca/api/v1/authn":
 dial tcp: lookup dev-123456.sso.MyCustomDomain.ca on 8.8.8.8:53: no such host

This issue occurs when attempting to configure Vault to use a custom Okta domain (e.g., https://sso.MyCustomDomain.ca).
Vault expects org_name for constructing Okta API calls but mishandles it when combined with a custom domain.

• The vault auth configuration works when using the default base_url "okta.com" + org_name
• DNS and REST API requests work :

dig sso.MyCustomDomain.ca
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59642
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

---
curl -X POST -H "Content-Type: application/json"  -d '{"username":"[email protected]","password":"NoCanDo"}' 
 https://sso.MyCustomDomain.ca/api/v1/authn | jq .

{
  "expiresAt": "2025-01-06T03:11:26.000Z",
  "status": "SUCCESS",
...
}

To Reproduce

prereq: config okta new brand/ custom domain
Steps to reproduce the behavior:

1. Configure Vault with a custom domain:

vault write auth/okta/config \
    base_url="https://sso.MyCustomDomain.ca" \
    org_name="dev-123456" \
    api_token="<api_token>"

2. Attempt to log in:

vault login -method=okta \
    username="[email protected]" \
    password="NoCanDo"

3. Observe the malformed API request in the Vault logs:

https://dev-123456.sso.MyCustomDomain.ca/api/v1/authn

4. The resulting error:

dial tcp: lookup dev-123456.sso.MyCustomDomain.ca on 8.8.8.8:53: no such host

Expected behavior

Vault should correctly construct the API endpoint as https://sso.MyCustomDomain.ca/api/v1/authn when a custom domain is used.
login command for the user should be successful
vault login -method=okta username="[email protected]" password="NoCanDo"

Actual Behavior

Vault constructs an invalid API endpoint by concatenating org_name and base_url improperly, treating org_name as a subdomain.

Environment:

• Server Operating System/Architecture: ubuntu 22

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            3
Threshold               2
Version                 1.18.3
Build Date              2024-12-16T14:00:53Z
Storage Type            raft
Cluster Name            vault-cluster-e5180399
Cluster ID              025e327c-13e0-6781-868f-ae8eb66da076
HA Enabled              true
HA Cluster              https://<IP>:8201
HA Mode                 active
Active Since            2025-01-05T02:01:12.9281897-05:00
Raft Committed Index    382
Raft Applied Index      382

Additional context

• I attempted to configure Vault with the following:

vault write auth/okta/config \
    base_url="https://sso.MyCustomDomain.ca" \
    org_name="" \
    api_token="<api_token>"

• Resulted in another malformed URL but it's the closest to the real url I could get:

https://.sso.MyCustomDomain.ca/api/v1/authn

Temporary Workaround

This issue makes it difficult to use custom Okta domains for authentication. The current workaround is to use the default Okta domain: (base_url="okta.com")

vault write auth/okta/config \
    base_url="okta.com" \
    org_name="dev-123456" \
    api_token="<api_token>"

This results in the correct API endpoint:

https://dev-123456.okta.com/api/v1/authn

Request

Please provide support for custom Okta domains without requiring org_name, or handle it correctly to avoid malformed URLs. Or advise if I did anything wrong