UI permissions errors for Tokens generated in Chroot Namespace

[moo-im-a-cow]

Describe the bug
if you have a chroot namespace set up like this:

listener "tcp" {
  address = "127.0.0.1:8200"
  chroot_namespace = "prod"
}

tokens generated in that namespace will be unable to use the UI due to permisisons errors.
assuming the chroot namespace is prod, the UI thinks the token belongs to prod/prod instead of prod (which the UI should see as root ns)
This issue is present for OIDC tokens,
but it's also present for userpass tokens, but only if you log in, copy the token, and then use the token to log in
I havent tried other types of tokens.

1. log in
2. UI makes get request to auth/token/lookup-self, with no namespace header. the response contains field data.namespace_path = prod
3. localstorage->vault-token☃1 has field userRootNamespace = prod
4. all future requests use localstorage->vault-token☃1.userRootNamespace to add header X-Vault-Namespace: prod to all requests
5. because of the chroot namespace, vault server treats the requests as asking for namespace prod/prod, which fails
6. manually setting localstorage->vault-token☃1.userRootNamespace to empty makes vault behave correctly, requests are successful (because UI now tries to access root namespace, which vault transforms into prod)

Expected behavior
A clear and concise description of what you expected to happen.

Environment:

• Vault Server Version: 1.19.3+ent
• Server Operating System/Architecture: docker on ARM, kernel 6.13.6-200.fc41.aarch64

Vault server configuration file(s):

storage "raft" {
  path    = "/data"
  node_id = "node1"
}
listener "tcp" {
  address                           = "0.0.0.0:8200" # vault_root.REMOVED
  tls_disable                       = "true"
  x_forwarded_for_authorized_addrs  = "172.20.0.3"

}
listener "tcp" {
  address                           = "0.0.0.0:8201" # vault_dev.REMOVED
  tls_disable                       = "true"
  chroot_namespace                  = "dev"
  x_forwarded_for_authorized_addrs  = "172.20.0.3"
}

listener "tcp" {
  address                           = "0.0.0.0:8202" # vault.REMOVED
  tls_disable                       = "true"
  chroot_namespace                  = "prod"
  x_forwarded_for_authorized_addrs  = "172.20.0.3"
}


plugin_directory = "/plugins"

api_addr = "https://vault_root.DOMAIN"
cluster_addr = "https://127.0.0.1:8201"
ui = true

sentinel {
  additional_enabled_modules = ["http"]
}

docker-compose.yml

services:
  vault:
    restart: always
    image: hashicorp/vault:latest
    environment:
      - VAULT_LICENSE=REMOVED
    ports:
      - 5696:5696
    cap_add:
      - IPC_LOCK
    volumes:
      - ./plugins:/plugins
      - ./data:/data
      - ./config.hcl:/config.hcl
    healthcheck:
      retries: 5
    command: server -config=/config.hcl
  cloudflared:
    image: cloudflare/cloudflared:latest
    command: tunnel run REMOVED
    restart: always
    volumes:
      - ./cloudflare:/etc/cloudflared

[heatherezell]

Hello! Since you're an Enterprise customer, I recommend opening a ticket with support to get the fastest response time. Please feel free to share this issue ID with them as well. Thanks! :)