Elasticsearch AWS Cognito OIDC issue

Elastic Stack Elasticsearch
1

Hello, I have a problem when I try to use JWT token provided by AWS Cognito.
Specifically I add this configuration to my elasticsearch.yml, on elastic cloud:

xpack:
  security:
    authc:
      realms:
        oidc:
          oidc1:
            order: 2 
            rp.client_id: "7ixxxxxxx" 
            rp.response_type: "code"
            rp.requested_scopes: ["openid", "email", "profile"]
            rp.redirect_uri: "https://xxx/api/security/oidc/callback"
            rp.post_logout_redirect_uri: "https://xxx/security/logged_out"
            op.issuer: "https://cognito-xyx.amazonaws.com/avbc"
            op.authorization_endpoint: "https://xxx.auth.eu-central-1.amazoncognito.com/oauth2/authorize"
            op.token_endpoint: "https://xxx.auth.eu-central-1.amazoncognito.com/oauth2/token"
            op.userinfo_endpoint: "https://xxx.auth.eu-central-1.amazoncognito.com/oauth2/userInfo"
            op.jwkset_path: "https://cxxx.amazonaws.com/yyyy/.well-known/jwks.json"
            op.endsession_endpoint: "https://xxxx/logout"
            claims.principal: sub
            claims.groups: cognito:groups

and this configuration on kibana.yml:

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: oidc1
    description: "Login with Cognito"

Now when I use Kibana I can login using the Cognito user; when I try to use elasticsearch REST API, using Postman in this case, first I retrieve the JWT token from Cognito pool, and after I use it like:

curl --location --request POST 'https://elasticsearch_url/_search' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyxxxx' \
--data '{
    "size": 10000
}'

but I get this error message:

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "unable to authenticate with provided credentials and anonymous access is not allowed for this request",
                "additional_unsuccessful_credentials": "oauth2 token: invalid token",
                "header": {
                    "WWW-Authenticate": [
                        "Basic realm=\"security\", charset=\"UTF-8\"",
                        "Bearer realm=\"security\"",
                        "ApiKey"
                    ]
                }
            }
        ],
        "type": "security_exception",
        "reason": "unable to authenticate with provided credentials and anonymous access is not allowed for this request",
        "additional_unsuccessful_credentials": "oauth2 token: invalid token",
        "header": {
            "WWW-Authenticate": [
                "Basic realm=\"security\", charset=\"UTF-8\"",
                "Bearer realm=\"security\"",
                "ApiKey"
            ]
        }
    },
    "status": 401
}

Some additional infos:

  • The Elasticsearch version used is 8.17.4.
  • The Conigto user pool is cofigured to use the Authorization code grant with scopes [email, openid,profile].

Someone can help me to understand this problem?
Thank you in advance.
E.

2

Hello,

The OIDC realm can be used for SSO in Kibana only, it cannot be used to authenticate directly in Elasticsearch or using other REST Clients.

You need to have other authentication realms configured to authenticate directly in Elasticsearch as mentioned in the documentation.

This means that the OpenID Connect realm is not suitable for use by standard REST clients. If you configure an OpenID Connect realm for use in Kibana, you should also configure another realm, such as the native realm in your authentication chain.

1 Like
3

Hi @leandrojmp many thanks for you response and your time; ok so I cannot using OIDC for use elasticsearch rest api, I had read that and I also tried the JWT realm, either alone and together with OIDC realm; this is the configuration that I tried in elasticsearch.yml:

xpack.security.authc.realms.jwt.jwt1: 
	order: 2
	token_type: access_token
	client_authentication.type: shared_secret
	allowed_signature_algorithms: [ "RS256" ]
	allowed_subject_patterns: [ "*"]
	allowed_audiences: [ "xxxxx" ]
	allowed_issuer: "https://xxx.amazonaws.com/yyyy"
	pkc_jwkset_path: "https://xxxx.amazonaws.com/yyyy/.well-known/jwks.json"
	required_claims:
	  token_use: ["access"]
	fallback_claims.sub: client_id
	fallback_claims.aud: scope
	claims.principal: sub
	claims.groups: cognito:groups

but when I try to submit it the deployment fails, I cannot see the details of error message apart of this warning:

image
image493×146 3.82 KB

In your opinion what am I doing wrong? Or do you know another way to achieve my goal?
Many thanks.
E.

4

I suggest that you contact support.

I do not use JWT as authentication methods, so I'm not sure what is wrong.

1 Like