Hi Everyone,
I am trying to using FusionAuth (https://fusionauth.io/) as IdP (OpenID or SAML) to my elastic stack running on Elastic Cloud.
Here is my elasticsearch.yaml
configuration:
xpack:
security:
authc:
realms:
oidc:
oidc1:
claims.principal: sub
op.authorization_endpoint: "https://xxx/oauth2/authorize"
op.issuer: "https://xxx/"
op.jwkset_path: "https://xxx/.well-known/jwks.json"
op.token_endpoint: "https://xxx/oauth2/token"
op.userinfo_endpoint: "https://xxx/oauth2/userinfo"
order: 2
rp.client_id: "xxxxxxxx"
rp.redirect_uri: "https://xxx:9243/api/security/v1/oidc"
rp.response_type: code
and got this error on "trace" mode on the elastic:
[instance-0000000000] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJOSEException[Signed JWT rejected: Another algorithm expected, or no matching key(s) found];)
|Feb 5, 2021, 3:02:55 AM UTC|WARN|i0@ap-southeast-1c|[instance-0000000000] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJOSEException[Signed JWT rejected: Another algorithm expected, or no matching key(s) found];)|
|Feb 5, 2021, 3:02:55 AM UTC|DEBUG|i0@ap-southeast-1c|[instance-0000000000] Failed to consume the OpenIdConnectToken org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.getUserClaims(OpenIdConnectAuthenticator.java:264) [x-pack-security-7.10.2.jar:7.10.2] at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.lambda$getUserClaims$1(OpenIdConnectAuthenticator.java:258) [x-pack-security-7.10.2.jar:7.10.2] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.ListenableFuture$1.doRun(ListenableFuture.java:112) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.EsExecutors$DirectExecutorService.execute(EsExecutors.java:224) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListener(ListenableFuture.java:106) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.ListenableFuture.lambda$done$0(ListenableFuture.java:98) [elasticsearch-7.10.2.jar:7.10.2] at java.util.ArrayList.forEach(ArrayList.java:1511) [?:?] at org.elasticsearch.common.util.concurrent.ListenableFuture.done(ListenableFuture.java:98) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.BaseFuture.set(BaseFuture.java:144) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.common.util.concurrent.ListenableFuture.onResponse(ListenableFuture.java:127) [elasticsearch-7.10.2.jar:7.10.2] at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$ReloadableJWKSource$1.completed(OpenIdConnectAuthenticator.java:828) [x-pack-security-7.10.2.jar:7.10.2] at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$ReloadableJWKSource$1.completed(OpenIdConnectAuthenticator.java:820) [x-pack-security-7.10.2.jar:7.10.2] at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:122) [httpcore-4.4.12.jar:4.4.12] at|
And this is what I get on the browser:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" & 1=\"Bearer realm=\\\"security\\\"\" & 2=\"ApiKey\" } } }"}
Is there any missing part or common mistake for this setup?
References: