Hi ..,
I am giving a try on Elastic cloud on Kubernetes, I have deployed the operator, Elasticsearch and Kibana. Everything is up and running fine.
Now I want to implement openid connect to kibana using Keycloak, On doing this Do I need any licence or basic licence is sufficient.
Because, We set up Elasticsearch (version 7.8.0) with an OpenID Connect "oidc" realm with Keycloak as provider. We called the realm "oidc1":
[...]
xpack.security.authc.realms.oidc.oidc1:
claims.principal: name
op.authorization_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/auth
op.endsession_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/logout
op.issuer: https://keycloak.text/auth/realms/oidc1
op.jwkset_path: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/certs
op.token_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/auth
op.userinfo_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/userinfo
order: 0
rp.client_id: kibana
rp.post_logout_redirect_uri: https://ip-removed:port/logged_out
rp.redirect_uri: https://ip-removed:port/api/security/oidc/callback
rp.response_type: code
xpack.security.authc.token.enabled: true
The "rp.client_secret" is injected into keystore from secret.
To make Kibana (version 7.8.0) use this OpenId Connect realm we added to the Kibana config:
xpack.security.authc.providers:
basic.basic1:
order: 1
oidc.keycloak:
order: 0
realm: oidc1
After configuring all this we experienced the following issues:
- Kibana correctly shows the login selections: "Login with oidc/oidc1" and "Login with Elasticsearch" as expected
- Choosing "Log in with oidc/oidc1" it is not redirting to keycloak... It is giving me authorization issue.
In the Elasticsearch, kibana logs there is literally nothing(!) regarding this oidc login.
Help is really appreciated.
Thanks,
VIneeth.