Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect

Hello,

I am facing an error when trying to log into Kibana using Keycloak.

{"@timestamp":"2023-06-14T08:40:15.478Z", "log.level": "WARN", "message":"Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token using the Token Endpoint.)", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"pool-3-thread-1","log.logger":"org.elasticsearch.xpack.security.authc.RealmsAuthenticator","trace.id":"a2a6e962f5622ed5eb9fc787589ccaae","elasticsearch.cluster.uuid":"YrMj0KybTP2JwifTQsXysg","elasticsearch.node.id":"48x-BuSlTZ6xqFoCt3IPLA","elasticsearch.node.name":"78edcd584752","elasticsearch.cluster.name":"docker-cluster"}
[2023-06-14T08:40:15.488+00:00][WARN ][plugins.security.authentication] Could not authenticate user with the existing session. Forcing logout.

I have elasticsearch, kibana and keycloak running on docker desktop all within the same network.

I've created a realm oidc1, a client kibana and a user latif in keycloak. Assigned a composite role kibana to the client.

image2084×1934 253 KB

I have started a elasticsearch free trial.

My elasticsearch.yml file is configured as such:

cluster.name: "docker-cluster"
network.host: 0.0.0.0

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 13-06-2023 22:12:52
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.authc.token.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["78edcd584752"]

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  op.issuer: "http://localhost:8080/realms/oidc1"
  op.authorization_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/auth"
  op.token_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/token"
  op.jwkset_path: "/usr/share/elasticsearch/config/jwkset.json"
  op.userinfo_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
  claims.principal: name
  ssl.verification_mode: none

My Kibana.yml file is configured as such:

### >>>>>>> BACKUP START: Kibana interactive setup (2023-06-13T22:13:20.496Z)

#
# ** THIS IS AN AUTO-GENERATED FILE **
#

# Default Kibana configuration for docker target
#server.host: "0.0.0.0"
#server.shutdownTimeout: "5s"
#elasticsearch.hosts: [ "http://elasticsearch:9200" ]
#monitoring.ui.container.elasticsearch.enabled: true
### >>>>>>> BACKUP END: Kibana interactive setup (2023-06-13T22:13:20.496Z)

# This section was automatically generated during setup.
server.host: "0.0.0.0"
server.shutdownTimeout: "5s"
elasticsearch.hosts: ["https://172.28.0.3:9200"]
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.serviceAccountToken: "AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2ODY2OTQ0MDAyMTI6aTRyU0RyV3BTdWUwdnJoMHNBNWhWZw"
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/data/ca_1686694400493.crt"]
xpack.fleet.outputs: [
  {
    id: "fleet-default-output",
    name: "default",
    is_default: true,
    is_default_monitoring: true,
    type: "elasticsearch",
    hosts: ["https://172.28.0.3:9200"],
    ca_trusted_fingerprint: "efd948e0724542f25985bbad57dda9182b99c9b3dc81e191e062aef799222a8b"
  }
]

server.ssl.enabled: true
server.ssl.certificate: "/usr/share/kibana/config/ca.crt"
server.ssl.key: "/usr/share/kibana/config/ca.key"

xpack.reporting.roles.enabled: true 
elasticsearch.ssl.verificationMode: certificate

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: oidc1
    description: "Login with Keycloak"
  basic.basic:
    order: 2

Figured it out.

Even though my docker containers were in the same network I needed to specify the container name instead of local host. Additionally I had to get rid of user_info.

  order: 2
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  op.issuer: "http://localhost:8080/realms/oidc1"
  op.authorization_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/auth"
  op.token_endpoint: "http://key-01:8080/realms/oidc1/protocol/openid-connect/token"
  op.jwkset_path: "/usr/share/elasticsearch/config/jwkset.json"
  # op.userinfo_endpoint: "http://key-01:8080/realms/oidc1/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "http://localhost:8080/realms/oidc1/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
  claims.principal: name
  ssl.verification_mode: none

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.