ELK Stack integration with Keycloak

sencer · December 12, 2019, 10:56am

I kept receiving the same error message "Unknown login requester" from Keycloak with SAML. I was probably missing some values somewhere. I am not a systems engineer, so unfortunately I cannot tell you what went wrong.

Thanks for trace level logging information. I see the following after I click

[2019-12-12T11:21:30,119][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [S2MW31] OpenID Connect Provider redirected user to [/api/security/v1/oidc?state=iaAXRLJaJq_nnfc_ujdlNOHseOWJHZw3pqpeJ2Cnf2g&session_state=f81d040e-ec66-44bd-958f-2be6c6aad4e1&code=e645dbc2-b415-48a8-9bab-19b115140c72.f81d040e-ec66-44bd-958f-2be6c6aad4e1.d999e26b-a38b-482c-bcf8-e7e3eae74f43]. Expected Nonce is [GRxwUBq9b-rxe1hA7XzCQOV2lj_yvKM3AhwWiMOF99k] and expected State is [iaAXRLJaJq_nnfc_ujdlNOHseOWJHZw3pqpeJ2Cnf2g]
[2019-12-12T11:21:30,342][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [S2MW31] Received Token Response from OP with status [200] and content [{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIya3pRd3dvTDd1ZUIwcGxiRVdtU2ZTbzI0SzVhcHFjNDNIbktZc2hVTm5RIn0.eyJqdGkiOiI4YzA3OWYyNC1mNmFmLTQwNmQtOWRlNi05MDFmMmRmYmY5NDEiLCJleHAiOjE1NzYxNDYzOTAsIm5iZiI6MCwiaWF0IjoxNTc2MTQ2MDkwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIzZmE5YjUwZC05M2M4LTRjYTktOGE4MC1lOTJhMzIxYjFiZjUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJraWJhbmEiLCJub25jZSI6IkdSeHdVQnE5Yi1yeGUxaEE3WHpDUU9WMmxqX3l2S00zQWh3V2lNT0Y5OWsiLCJhdXRoX3RpbWUiOjE1NzYxNDYwOTAsInNlc3Npb25fc3RhdGUiOiJmODFkMDQwZS1lYzY2LTQ0YmQtOTU4Zi0yYmU2YzZhYWQ0ZTEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vbG9jYWxob3N0OjU2MDEiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIkRhc2hib2FyZCBVc2VyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6WyJEYXNoYm9hcmQgVXNlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwibmFtZSI6InRlc3QxIHVzZXIxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIxIiwiZ2l2ZW5fbmFtZSI6InRlc3QxIiwiZmFtaWx5X25hbWUiOiJ1c2VyMSIsImVtYWlsIjoidGVzdEB0ZXN0LmNvbSJ9.Up4T2J6bzL558gsdjDJGU_3Fj_2g5hKTH2wkzfuNEfZhOKTSgSPwx1tp-dn2Ic6sUpTQl9m_YInVZtxuaNSj54_My8QgEGUTBfFTbSKa_WPBf8o6WRNhWTxwH87zVdOsfhU_DoPinRLiqyyvaxDfL0wxZ2lfowiLv3-TtM5JG8BTN2kqttI4RZenAV69dF4LkL8l9Grg89sQ2w8f-HkMMd2UwW3mxxWtqIMKvhyK1_j-7PGFiLrc3ti66OnfPZZU5qynVW4yvugwY6M_8ZHVP-fr1Arbp5BuUMxYR_fkVDMcAG64ObB4EQuZ8Py-_exaTLZvDK3I191ChqhFxGUlvw","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5MWM1ZjE1OS1lOTllLTQ3MjAtYWM2YS1mZDVjYWE4OGNmOTcifQ.eyJqdGkiOiIyNjg4ZWQzZi1jOTczLTQ3OTItYmQyNi1hZTQ1ZWI2OTQyMjAiLCJleHAiOjE1NzYxNDc4OTAsIm5iZiI6MCwiaWF0IjoxNTc2MTQ2MDkwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwic3ViIjoiM2ZhOWI1MGQtOTNjOC00Y2E5LThhODAtZTkyYTMyMWIxYmY1IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImtpYmFuYSIsIm5vbmNlIjoiR1J4d1VCcTliLXJ4ZTFoQTdYekNRT1YybGpfeXZLTTNBaHdXaU1PRjk5ayIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImY4MWQwNDBlLWVjNjYtNDRiZC05NThmLTJiZTZjNmFhZDRlMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJEYXNoYm9hcmQgVXNlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIn0.onjK5H901YA2gCsgZbRf_4LSjiaJYkITwfybQENCGL0","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIya3pRd3dvTDd1ZUIwcGxiRVdtU2ZTbzI0SzVhcHFjNDNIbktZc2hVTm5RIn0.eyJqdGkiOiJmNDAyYmM0Mi1lNWFjLTQwZTQtOWM4MS1kNjY2ZDczM2E1YWYiLCJleHAiOjE1NzYxNDYzOTAsIm5iZiI6MCwiaWF0IjoxNTc2MTQ2MDkwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImtpYmFuYSIsInN1YiI6IjNmYTliNTBkLTkzYzgtNGNhOS04YTgwLWU5MmEzMjFiMWJmNSIsInR5cCI6IklEIiwiYXpwIjoia2liYW5hIiwibm9uY2UiOiJHUnh3VUJxOWItcnhlMWhBN1h6Q1FPVjJsal95dktNM0Fod1dpTU9GOTlrIiwiYXV0aF90aW1lIjoxNTc2MTQ2MDkwLCJzZXNzaW9uX3N0YXRlIjoiZjgxZDA0MGUtZWM2Ni00NGJkLTk1OGYtMmJlNmM2YWFkNGUxIiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpbIkRhc2hib2FyZCBVc2VyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJuYW1lIjoidGVzdDEgdXNlcjEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlcjEiLCJnaXZlbl9uYW1lIjoidGVzdDEiLCJmYW1pbHlfbmFtZSI6InVzZXIxIiwiZW1haWwiOiJ0ZXN0QHRlc3QuY29tIn0.QGxOPzGI-DPFOnO8hvek0-I0AEkULH4Bk3bMNHCFMfZnve-FZk7w2cSagvnL-xmvTWMxniNuxJlEudFcHFhcKmcusWYE24MJqIt0NPNO1OerHOoBjQbAOzf1eSWvMyLtFnFOoUROp8s_8bdWlIJbHTmu1chNcRZDcbNTgOlllvP-Mvtd4OGYl9roj_b8VN4LVG2Cn5c_JX6R0UMifM9rDhQ0bUf4PpHxLXI0Jr0TX6A79J3NLxdCpY_k_d7nBoD57RT7ekzf4qq1beOyKXlyFAvFqPhS-kFm9P68-K9NlqMRSqI7UzFIyGjxxL4pcfQZcsBttqwRpO-DTtJiWNHv4g","not-before-policy":0,"session_state":"f81d040e-ec66-44bd-958f-2be6c6aad4e1","scope":"openid email profile"}] 
[2019-12-12T11:21:30,363][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [S2MW31] Successfully exchanged code for ID Token: [com.nimbusds.jwt.SignedJWT@6bce1570] and Access Token [eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIya3pRd3dvTDd1ZUIwcGxiRVdtU2ZTbzI0SzVhcHFjNDNIbktZc2hVTm5RIn0.eyJqdGkiOiI4YzA3OWYyNC1mNmFmLTQwNmQtOWRlNi05MDFmMmRmYmY5NDEiLCJleHAiOjE1NzYxNDYzOTAsIm5iZiI6MCwiaWF0IjoxNTc2MTQ2MDkwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIzZmE5YjUwZC05M2M4LTRjYTktOGE4MC1lOTJhMzIxYjFiZjUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJraWJhbmEiLCJub25jZSI6IkdSeHdVQnE5Yi1yeGUxaEE3WHpDUU9WMmxqX3l2S00zQWh3V2lNT0Y5OWsiLCJhdXRoX3RpbWUiOjE1NzYxNDYwOTAsInNlc3Npb25fc3RhdGUiOiJmODFkMDQwZS1lYzY2LTQ0YmQtOTU4Zi0yYmU2YzZhYWQ0ZTEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vbG9jYWxob3N0OjU2MDEiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIkRhc2hib2FyZCBVc2VyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6WyJEYXNoYm9hcmQgVXNlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwibmFtZSI6InRlc3QxIHVzZXIxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIxIiwiZ2l2ZW5fbmFtZSI6InRlc3QxIiwiZmFtaWx5X25hbWUiOiJ1c2VyMSIsImVtYWlsIjoidGVzdEB0ZXN0LmNvbSJ9.Up4T2J6bzL558gsdjDJGU_3Fj_2g5hKTH2wkzfuNEfZhOKTSgSPwx1tp-dn2Ic6sUpTQl9m_YInVZtxuaNSj54_My8QgEGUTBfFTbSKa_WPBf8o6WRNhWTxwH87zVdOsfhU_DoPinRLiqyyvaxDfL0wxZ2lfowiLv3-TtM5JG8BTN2kqttI4RZenAV69dF4LkL8l9Grg89sQ2w8f-HkMMd2UwW3mxxWtqIMKvhyK1_j-7PGFiLrc3ti66OnfPZZU5qynVW4yvugwY6M_8ZHVP-fr1Arbp5BuUMxYR_fkVDMcAG64ObB4EQuZ8Py-_exaTLZvDK3I191ChqhFxGUlvw]
[2019-12-12T11:21:30,383][DEBUG][o.e.x.s.a.o.OpenIdConnectRealm] [S2MW31] Failed to consume the OpenIdConnectToken 
org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.getUserClaims(OpenIdConnectAuthenticator.java:259) [x-pack-security-7.4.0.jar:7.4.0]
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.lambda$authenticate$0(OpenIdConnectAuthenticator.java:193) [x-pack-security-7.4.0.jar:7.4.0]
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:62) [elasticsearch-7.4.0.jar:7.4.0]
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.handleTokenResponse(OpenIdConnectAuthenticator.java:542) [x-pack-security-7.4.0.jar:7.4.0]
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.access$600(OpenIdConnectAuthenticator.java:125) [x-pack-security-7.4.0.jar:7.4.0]
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:479) [x-pack-security-7.4.0.jar:7.4.0]
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.completed(OpenIdConnectAuthenticator.java:476) [x-pack-security-7.4.0.jar:7.4.0]
	at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:122) [httpcore-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:181) [httpasyncclient-4.1.4.jar:4.1.4]
	at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:448) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:338) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) [httpasyncclient-4.1.4.jar:4.1.4]
	at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) [httpasyncclient-4.1.4.jar:4.1.4]
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.11.jar:4.4.11]
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) [httpcore-nio-4.4.11.jar:4.4.11]
	at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:100) ~[?:?]
	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:285) ~[?:?]
	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224) ~[?:?]
	at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.getUserClaims(OpenIdConnectAuthenticator.java:226) ~[?:?]
	... 21 more

Is it possible that Keycloak has different configuration ( different keys ) for different realms and you haven't configured the one called demo , but using a different one ?

You are actually right. For some reason, it was wrongly configured. I switched the necessary endpoints, and added my client secret for realm ROOT and it worked. No idea why.

Topic		Replies	Views
How to integrate Kibana (OpenSource) with keycloak? Kibana elastic-stack-security	4	9461	April 9, 2020
Elasticsearch 7.0.1 OIDC/SAML support Elasticsearch elastic-stack-security , docker	3	373	September 5, 2019
Likely root cause: ElasticsearchSecurityException[Cannot find metadata for entity http://xxx.xxx.xx] Elasticsearch elastic-stack-security	3	750	December 7, 2021
Integration of kibana dashboard and keycloack Kibana	4	571	July 9, 2020
ELK Stack connect to Keycloak via OpenID Elasticsearch elastic-stack-security , docker	9	1983	January 31, 2023

ELK Stack integration with Keycloak

Related topics