Elastic Cloud OIDC error

Elastic Stack Kibana
1

Using ES 7.10 7.10.1 and 7.10.2 in different clusters, I received below errors applying known working configs with Azure AD realm exposed via OIDC.

[instance-0000000009] Received Token Response from OP with status [UNAUTHORIZED] and content [{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: d22a48a9-9da8-444d-9834-8b57ad290100\r\nCorrelation ID: 5c7ea5ff-04df-4e1a-aba6-59494c567d37\r\nTimestamp: 2021-02-23 11:56:14Z","error_codes":[7000215],"timestamp":"2021-02-23 11:56:14Z","trace_id":"d22a48a9-9da8-444d-9834-8b57ad290100","correlation_id":"5c7ea5ff-04df-4e1a-aba6-59494c567d37","error_uri":"https://login.microsoftonline.com/error?code=7000215"}]

[instance-0000000009] Received Token Response from OP with status [UNAUTHORIZED] and content [{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: d22a48a9-9da8-444d-9834-8b57ad290100\r\nCorrelation ID: 5c7ea5ff-04df-4e1a-aba6-59494c567d37\r\nTimestamp: 2021-02-23 11:56:14Z","error_codes":[7000215],"timestamp":"2021-02-23 11:56:14Z","trace_id":"d22a48a9-9da8-444d-9834-8b57ad290100","correlation_id":"5c7ea5ff-04df-4e1a-aba6-59494c567d37","error_uri":"https://login.microsoftonline.com/error?code=7000215"}]

The client secret is doubled checked to be the correct one.

Here is my config inside elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        oidc:
          aad:
            order: 2
            rp.client_id: "xxxx"
            rp.response_type: "code"
            rp.requested_scopes: ["openid", "email"]
            rp.redirect_uri: "https://xxxx.eastus2.azure.elastic-cloud.com:9243/api/security/v1/oidc"
            op.issuer: "https://login.microsoftonline.com/xxxxx/v2.0"
            op.authorization_endpoint: "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize"
            op.token_endpoint: "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/token"
            op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
            op.endsession_endpoint: "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/logout"
            rp.post_logout_redirect_uri: "https://xxxxx.eastus2.azure.elastic-cloud.com:9243/logged_out"
            op.jwkset_path: "https://login.microsoftonline.com/xxxxx/discovery/v2.0/keys"
            claims.principal: name
            claims.groups: groups

kibana.yml

  xpack.security.authc.providers:
  oidc.aad:
    order: 0
    realm: aad
    icon: "https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg"
    description: "Log in with Azure"
  basic.basic1:
    order: 1
2

Are you saying that this config used to work in an older deployment? If so, what stack version(s) were you using before?

I don't see the xpack.security.authc.realms.oidc.aad.rp.client_secret setting in your config. Did you add a secret value for your deployment?

If so, did you double-check your client_id to make sure it matches the client secret?

3

I have added yes my secret value and it is doubled checked to be correct.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.