ECK SSO with google cloud OpenID: Error [security_exception] unable to authenticate user [<OIDC Token>]

Hi all, I'm trying to enable SSO to Kibana version 7.11.0 created using ECK version 1.4.1. I followed this tutorial for Setup with Google Cloud OAuth Credential.

token.enabled: true
          realms.oidc:
            oidc1:
              order: 2
              rp.client_id: "<CLIENT_ID>"
              rp.response_type: code
              rp.requested_scopes: [openid, profile, email]
              rp.redirect_uri: "<KIBANA_ENDPOINT>/api/security/v1/oidc"
              op.issuer: "https://accounts.google.com" 
              op.authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth" 
              op.token_endpoint: "https://oauth2.googleapis.com/token" 
              op.userinfo_endpoint: "https://openidconnect.googleapis.com/v1/userinfo" 
              op.jwkset_path: "https://www.googleapis.com/oauth2/v3/certs" 
              claims.principal: sub

Kibana configuration is:

xpack.security.authc.providers:
      oidc.oidc1:
        order: 0
        realm: oidc1
        description: "Log in with Google"
        hint: "User your company account"
        icon: "https://lh3.googleusercontent.com/M-c5Qiy3ahxn9XnUhGqzAAM8aYYZmwiY1vvdbkoQPm6QngJcUIgyBu8Wn38JebP3WZ1uDi86m14GPFK65UZugIeMzLGRO-ZNMoLS"
    
      basic.basic1:
        order: 1

I Enabled trace logging and having this logs in Elasticsearch:

{"type": "server", "timestamp": "2021-04-14T10:05:44,652Z", "level": "WARN", "component": "o.e.x.s.a.o.OpenIdConnectAuthenticator", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Received Token Response from OP with status [UNAUTHORIZED] and content [{\n  \"error\": \"invalid_client\",\n  \"error_description\": \"Unauthorized\"\n}]", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA"  }
{"type": "server", "timestamp": "2021-04-14T10:05:44,653Z", "level": "DEBUG", "component": "o.e.x.s.a.o.OpenIdConnectRealm", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Failed to consume the OpenIdConnectToken ", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA" ,
"stacktrace": ["org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.handleTokenResponse(OpenIdConnectAuthenticator.java:551) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.access$600(OpenIdConnectAuthenticator.java:131) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:503) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:500) [x-pack-security-7.11.0.jar:7.11.0]",
"at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:122) [httpcore-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:181) [httpasyncclient-4.1.4.jar:4.1.4]",
"at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:448) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:338) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) [httpasyncclient-4.1.4.jar:4.1.4]",
"at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) [httpasyncclient-4.1.4.jar:4.1.4]",
"at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:121) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.12.jar:4.4.12]",
"at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) [httpcore-nio-4.4.12.jar:4.4.12]",
"at java.lang.Thread.run(Thread.java:832) [?:?]"] }
{"type": "server", "timestamp": "2021-04-14T10:05:44,656Z", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token])", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA"  }

I can't complete the login:

statusCode	401
error	Unauthorized
message	[security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\Basic realm=\\security\\ charset=\\UTF-8\\ & 1=\Bearer realm=\\security\\ & 2=\ApiKey\ } } }

Can you please help. Thank you in advance.

The main problem is this

{"type": "server", "timestamp": "2021-04-14T10:05:44,652Z", "level": "WARN", "component": "o.e.x.s.a.o.OpenIdConnectAuthenticator", "cluster.name": "es-main-cluster", "node.name": "es-main-cluster-es-zone-a-0", "message": "Received Token Response from OP with status [UNAUTHORIZED] and content [{\n  \"error\": \"invalid_client\",\n  \"error_description\": \"Unauthorized\"\n}]", "cluster.uuid": "oyHjvM3XQJOqjjG4-QUPFg", "node.id": "-TCUHxwhQnOEP2vQ0QrZFA"  }

when we hit the Token Endpoint, your OP is saying that the client ( i.e. the RP in OIDC == Elasticsearch ) is not authorized. That usually means that either your rp.client_id or your rp.client_secret are wrong. I'm assuming you have changed "<CLIENT_ID>" above and set this to your actual client id. Have you also set the rp.client_secret?

By they way, the reason that the final error is not clear enough is that your OP responds to our request to the Token Endpoint with a 200 HTTP status code even if it failed. It should not do that, but instead return a 400.

Hi @ikakavas. Thank you for quick reply.
Yes. For the <CLIENT_ID> I'm using my actual Client ID generated By google when creating the credential.

For the rp.client_secret, I generated a K8s secret from the Client Secret generated by google using this code.

apiVersion: v1
kind: Secret
metadata:
  name: client_secret
  namespace: <same_as_es_cluster_namespace>
type: Opaque
data:
  xpack.security.authc.realms.oidc.oidc1.rp.client_secret: <base64 of the secret>

Please notice that the secret is within the same namespace as the Elasticsearch cluster, and It is added to the nodes config.

I also tried to remove the secret manually from inside the keystore and add it again with its actuall value directly from within the container, but still no success.

You should not base64 encode the client secret but add it as is.

Thank you @ikakavas. It is working now.

Just something that should be also considered in the Secret Yaml file, is the use of stringData instead of data, since the client secret might include illegal base64 data. This was my original problem, when I had this error, I converted the secret to base64, instead of changing the type to stringData. The code will be as below.

apiVersion: v1
kind: Secret
metadata:
    name: <name_of_the_secret>
    namespace: <same_as_es_cluster_namespace>
type: Opaque
stringData:
   xpack.security.authc.realms.oidc.oidc1.rp.client_secret: <actual_client_secret>

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.