Hi all, I'm trying to enable SSO to Kibana version 7.11.0
created using ECK version 1.4.1
. I followed this tutorial for Setup with Google Cloud OAuth Credential.
token.enabled: true
realms.oidc:
oidc1:
order: 2
rp.client_id: "<CLIENT_ID>"
rp.response_type: code
rp.requested_scopes: [openid, profile, email]
rp.redirect_uri: "<KIBANA_ENDPOINT>/api/security/v1/oidc"
op.issuer: "https://accounts.google.com"
op.authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth"
op.token_endpoint: "https://oauth2.googleapis.com/token"
op.userinfo_endpoint: "https://openidconnect.googleapis.com/v1/userinfo"
op.jwkset_path: "https://www.googleapis.com/oauth2/v3/certs"
claims.principal: sub
Kibana configuration is:
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: oidc1
description: "Log in with Google"
hint: "User your company account"
icon: "https://lh3.googleusercontent.com/M-c5Qiy3ahxn9XnUhGqzAAM8aYYZmwiY1vvdbkoQPm6QngJcUIgyBu8Wn38JebP3WZ1uDi86m14GPFK65UZugIeMzLGRO-ZNMoLS"
basic.basic1:
order: 1
I Enabled trace logging and having this logs in Elasticsearch:
{"type": "server", "timestamp": "2021-04-14T10:05:44,652Z", "level": "WARN", "component": "o.e.x.s.a.o.OpenIdConnectAuthenticator", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Received Token Response from OP with status [UNAUTHORIZED] and content [{\n \"error\": \"invalid_client\",\n \"error_description\": \"Unauthorized\"\n}]", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA" }
{"type": "server", "timestamp": "2021-04-14T10:05:44,653Z", "level": "DEBUG", "component": "o.e.x.s.a.o.OpenIdConnectRealm", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Failed to consume the OpenIdConnectToken ", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA" ,
"stacktrace": ["org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.handleTokenResponse(OpenIdConnectAuthenticator.java:551) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.access$600(OpenIdConnectAuthenticator.java:131) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:503) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:500) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:122) [httpcore-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:181) [httpasyncclient-4.1.4.jar:4.1.4]",
"at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:448) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:338) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) [httpasyncclient-4.1.4.jar:4.1.4]",
"at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) [httpasyncclient-4.1.4.jar:4.1.4]",
"at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:121) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) [httpcore-nio-4.4.12.jar:4.4.12]",
"at java.lang.Thread.run(Thread.java:832) [?:?]"] }
{"type": "server", "timestamp": "2021-04-14T10:05:44,656Z", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token])", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA" }
I can't complete the login:
statusCode 401 error Unauthorized message [security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\Basic realm=\\security\\ charset=\\UTF-8\\ & 1=\Bearer realm=\\security\\ & 2=\ApiKey\ } } }
Can you please help. Thank you in advance.