Hi,
I'm trying to get OIDC integration with google working without any success for quite some time.
Im using Elastic Stack as a Service
First I configured within Elasticsearch keystore:
xpack.security.authc.realms.oidc.google.rp.client_secret
Then I added the following config to all ES and the ML configurations:
> xpack.security.authc.realms.oidc.google: > order: 2 > rp.client_id: "my-client-id.apps.googleusercontent.com" > rp.response_type: code > rp.redirect_uri: "https://my-kibana.us-east-2.aws.elastic-cloud.com:9243/api/security/oidc/callback" > op.issuer: "https://accounts.google.com" > op.authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth" > op.token_endpoint: "https://oauth2.googleapis.com/token" > op.jwkset_path: "https://www.googleapis.com/oauth2/v3/certs" > op.userinfo_endpoint: "https://openidconnect.googleapis.com/v1/userinfo" > claims.principal: "sub"
And this config to kibana:
> xpack.security.authc.providers: > oidc.oidc1: > order: 0 > realm: google > description: "Log in with Google"
Yet I get a 401 with this message:
[security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } }
I've seen some threads about having a wrong claims.principal - I tested with "sub" and "email"
Google does not provide a claim for group mapping. Yet I tested with claims.groups: "", "groups" or removed that claim mapping
No idea where to go from here
As a side note: from a product mgmt point of view I guess it might be interesting to ease OIDC integration for common providers (google, microsoft, github)
`