Auth0とのOpen ID Connectの設定

Elastic Cloud (Ver7.5) にてAuth0をOPにしてOIDCの設定をしています。

https://www.elastic.co/guide/en/cloud/current/ec-secure-clusters-oidc.html
上記URLを参考にしながら設定したのですが、IDトークンの検証で以下のエラーが出てしまいます。
Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJWTException[Unexpected JWT issuer: https://xxxxx.auth0.com/];)

elasticsearch.yml

xpack.security.authc.realms.oidc.oidc1:
    order: 2
    op.issuer: https://xxxxx.auth0.com
    op.authorization_endpoint: https://xxxxx.auth0.com/authorize
    op.token_endpoint: https://xxxxx.auth0.com/oauth/token
    op.jwkset_path: https://xxxxx.auth0.com/.well-known/jwks.json
    op.userinfo_endpoint: https://xxxxx.auth0.com/userinfo
    rp.client_id: <clientid>
    rp.response_type: code
    rp.redirect_uri: https://xxxxx.ap-northeast-1.aws.found.io:9243/api/security/v1/oidc
    rp.post_logout_redirect_uri: https://xxxxx.ap-northeast-1.aws.found.io:9243/logged_out
    rp.signature_algorithm: RS256
    claims.principal: sub

xpack.security.authc.realms.oidc.oidc1.rp.client_secretにclient secretを登録済み

kibana.yml

xpack.security.authProviders: [oidc, basic]
xpack.security.authc.oidc.realm: "oidc1" 
server.xsrf.whitelist: [/api/security/v1/oidc]

何か設定が足りないところがあるのでしょうか?
問題解決のために他に必要な情報があれば教えてください。

Hi @nidcode,

I hope it's fine to answer in English, the solution should be easy enough to spot even without the translation :slight_smile:
The error is stated in the exception: [Unexpected JWT issuer: https://xxxxx.auth0.com/]

You have configured Elasticsearch to think that the Issuer is https://xxxxx.auth0.com but the issuer is actually https://xxxxx.auth0.com/ (mind the trailing /) . These might look like URLs but are treated and compared as strings so https://xxxxx.auth0.com is not the same as https://xxxxx.auth0.com/

In summary:

Change

op.issuer: https://xxxxx.auth0.com

to

op.issuer: https://xxxxx.auth0.com/

and it will work just fine.

1 Like

Hi @ikakavas

Thank you very much! !
It was easy to understand.

It worked fine.

Akifumi

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.