Using ES 7.10 7.10.1 and 7.10.2 in different clusters, I received below errors applying known working configs with Azure AD realm exposed via OIDC.
[instance-0000000009] Received Token Response from OP with status [UNAUTHORIZED] and content [{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: d22a48a9-9da8-444d-9834-8b57ad290100\r\nCorrelation ID: 5c7ea5ff-04df-4e1a-aba6-59494c567d37\r\nTimestamp: 2021-02-23 11:56:14Z","error_codes":[7000215],"timestamp":"2021-02-23 11:56:14Z","trace_id":"d22a48a9-9da8-444d-9834-8b57ad290100","correlation_id":"5c7ea5ff-04df-4e1a-aba6-59494c567d37","error_uri":"https://login.microsoftonline.com/error?code=7000215"}]
[instance-0000000009] Received Token Response from OP with status [UNAUTHORIZED] and content [{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: d22a48a9-9da8-444d-9834-8b57ad290100\r\nCorrelation ID: 5c7ea5ff-04df-4e1a-aba6-59494c567d37\r\nTimestamp: 2021-02-23 11:56:14Z","error_codes":[7000215],"timestamp":"2021-02-23 11:56:14Z","trace_id":"d22a48a9-9da8-444d-9834-8b57ad290100","correlation_id":"5c7ea5ff-04df-4e1a-aba6-59494c567d37","error_uri":"https://login.microsoftonline.com/error?code=7000215"}]
The client secret is doubled checked to be the correct one.
Here is my config inside elasticsearch.yml
xpack:
security:
authc:
realms:
oidc:
aad:
order: 2
rp.client_id: "xxxx"
rp.response_type: "code"
rp.requested_scopes: ["openid", "email"]
rp.redirect_uri: "https://xxxx.eastus2.azure.elastic-cloud.com:9243/api/security/v1/oidc"
op.issuer: "https://login.microsoftonline.com/xxxxx/v2.0"
op.authorization_endpoint: "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize"
op.token_endpoint: "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/token"
op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
op.endsession_endpoint: "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/logout"
rp.post_logout_redirect_uri: "https://xxxxx.eastus2.azure.elastic-cloud.com:9243/logged_out"
op.jwkset_path: "https://login.microsoftonline.com/xxxxx/discovery/v2.0/keys"
claims.principal: name
claims.groups: groups
kibana.yml
xpack.security.authc.providers:
oidc.aad:
order: 0
realm: aad
icon: "https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg"
description: "Log in with Azure"
basic.basic1:
order: 1