Authentication failed for an OpenID integration

Hello,

I am using OIDC with Elasticsearch and Kibana. My configuration is as follows:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-stack-ca.p12
xpack.security.http.ssl.truststore.path: elastic-stack-ca.p12

xpack.security.authc.token.enabled: true

xpack.security.authc.realms:
  oidc.oidc1:
    order: 2
    rp.client_id: "kibana"
    rp.response_type: code
    rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
    op.issuer: "http://monitoring.dev.s2:8180/auth/realms/simplesystem-realm"
    op.authorization_endpoint: "http://monitoring.dev.s2:8180/auth/realms/simplesystem-realm/protocol/openid-connect/auth"
    op.token_endpoint: "http://monitoring.dev.s2:8180/auth/realms/simplesystem-realm/protocol/openid-connect/token"
    op.jwkset_path: certs.json
    op.userinfo_endpoint: "http://monitoring.dev.s2:8180/auth/realms/simplesystem-realm/protocol/openid-connect/userinfo"
    op.endsession_endpoint: "http://monitoring.dev.s2:8180/auth/realms/simplesystem-realm/protocol/openid-connect/logout"
    rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
    claims.principal: preferred_username

Where monitoring.dev.s2:8180 points to the Keycloak server.

This works like a charm with a simple username/password setup, but in this case we require three fields for authentication instead of two: company, username, and password. The username in Keycloak looks something like this: test@123456.

With this configuration, Elasticsearch throws this error:

[2020-02-21T13:50:33,237][DEBUG][o.e.x.s.a.o.OpenIdConnectRealm] [S2MW31] Failed to consume the OpenIdConnectToken 
    org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.getUserClaims(OpenIdConnectAuthenticator.java:256) [x-pack-security-7.6.0.jar:7.6.0]
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.lambda$authenticate$0(OpenIdConnectAuthenticator.java:190) [x-pack-security-7.6.0.jar:7.6.0]
    	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.6.0.jar:7.6.0]
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.handleTokenResponse(OpenIdConnectAuthenticator.java:542) [x-pack-security-7.6.0.jar:7.6.0]
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.access$600(OpenIdConnectAuthenticator.java:122) [x-pack-security-7.6.0.jar:7.6.0]
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:477) [x-pack-security-7.6.0.jar:7.6.0]
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:474) [x-pack-security-7.6.0.jar:7.6.0]
    	at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:122) [httpcore-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:181) [httpasyncclient-4.1.4.jar:4.1.4]
    	at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:448) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:338) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) [httpasyncclient-4.1.4.jar:4.1.4]
    	at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) [httpasyncclient-4.1.4.jar:4.1.4]
    	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.12.jar:4.4.12]
    	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) [httpcore-nio-4.4.12.jar:4.4.12]
    	at java.lang.Thread.run(Thread.java:834) [?:?]
    Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
    	at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:384) ~[?:?]
    	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:288) ~[?:?]
    	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224) ~[?:?]
    	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.getUserClaims(OpenIdConnectAuthenticator.java:223) ~[?:?]
    	... 21 more
    [2020-02-21T13:50:33,248][WARN ][o.e.x.s.a.AuthenticationService] [S2MW31] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJOSEException[Signed JWT rejected: Another algorithm expected, or no matching key(s) found];)

I am not sure how to handle this so I was wondering if you could guide me in this issue.

Can you elaborate on what this actual means? What changes and where ? Do you adjust your configuration for this setup somehow ?

The error that Elasticsearch throws seems to indicate either that the ID Token is signed with a different key than the one in certs.json or a different signing algorithm is used so something has changed.

Thanks for your reply. You are absolutely right, I wasn't thinking straight. I noticed that I had still had the certs.json coming from the other provider. This solved my problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.