Hello everyone,
I am getting this error message after trying to authenticate with OIDC.
{"statusCode":401,"error":"Unauthorized","message":"Response session state does not have corresponding state or nonce parameters or redirect URL."}
My setup is:
elasticsearch.yml
cluster.name: my-application
node.name: node1
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
logger.org.elasticsearch.discovery: DEBUG
xpack.security.audit.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "C:/Program Files/elasticsearch-7.13.2/config/http.p12"
xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "fcb5c4ba-9a56-4cb0-bd15-1182cf3ef6fa"
rp.response_type: id_token
rp.redirect_uri: "https://localhost:5601/api/security/oidc/implicit"
op.issuer: "https://<Login-Provider>"
op.authorization_endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize"
op.token_endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/token"
op.jwkset_path: "https://<Login-Provider>/b2c_1_signin/discovery/v2.0/keys"
# op.userinfo_endpoint: "https://op.example.org/oauth2/v1/userinfo"
# op.endsession_endpoint: "https://op.example.org/oauth2/v1/logout"
# rp.post_logout_redirect_uri: "https://kibana.example.org:5601/logged_out"
claims.principal: sub
#claims.groups: ""
kibana.yml
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
xpack.security.sameSiteCookies: "None"
xpack.security.secureCookies: true
server.cors.enabled: true
#server.cors.origin: ["*"]
xpack.encryptedSavedObjects:
encryptionKey: "min-32-byte-long-strong-encryption-key"
server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: ["C:/Program Files/kibana-7.13.2-windows-x86_64/config/elasticsearch-ca.pem"]
server.ssl.keystore.path: "C:/Program Files/kibana-7.13.2-windows-x86_64/config/kibana-server.p12"
xpack.security.audit.enabled: true
xpack.security.authc.providers:
oidc.oidc1:
order: 1
realm: "oidc1"
basic.basic1:
order: 0
I found out that the error is coming from this part of kibana code, but other than this I have no idea what is going wrong.
// If it is an authentication response and the users' session state doesn't contain all the necessary information,
// then something unexpected happened and we should fail because Elasticsearch won't be able to validate the
// response.
const {
nonce: stateNonce = '',
state: stateOIDCState = '',
redirectURL: stateRedirectURL = '',
} = sessionState || {};
if (!stateNonce || !stateOIDCState || !stateRedirectURL) {
const message =
'Response session state does not have corresponding state or nonce parameters or redirect URL.';
this.logger.debug(message);
return AuthenticationResult.failed(Boom.badRequest(message));
}
I am using self-signed licenses created by the elasticsearch certificate tool:
./bin/elasticsearch-certutil http
Could you please help?
Thank you