Error 401 when authenticating with OpenIDConnect

Hello everyone,

I am getting this error message after trying to authenticate with OIDC.

{"statusCode":401,"error":"Unauthorized","message":"Response session state does not have corresponding state or nonce parameters or redirect URL."}

My setup is:

elasticsearch.yml

cluster.name: my-application
node.name: node1


xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

logger.org.elasticsearch.discovery: DEBUG
xpack.security.audit.enabled: true


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "C:/Program Files/elasticsearch-7.13.2/config/http.p12"

xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "fcb5c4ba-9a56-4cb0-bd15-1182cf3ef6fa"  
  rp.response_type: id_token
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/implicit"
  op.issuer: "https://<Login-Provider>"
  op.authorization_endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize"
  op.token_endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/token"
  op.jwkset_path: "https://<Login-Provider>/b2c_1_signin/discovery/v2.0/keys"
  # op.userinfo_endpoint: "https://op.example.org/oauth2/v1/userinfo"
  # op.endsession_endpoint: "https://op.example.org/oauth2/v1/logout"
  # rp.post_logout_redirect_uri: "https://kibana.example.org:5601/logged_out"
  claims.principal: sub
  #claims.groups: ""

kibana.yml

elasticsearch.hosts: ["https://localhost:9200"]


elasticsearch.username: "kibana_system"

xpack.security.sameSiteCookies: "None"
xpack.security.secureCookies: true

server.cors.enabled: true
#server.cors.origin: ["*"]

xpack.encryptedSavedObjects:
  encryptionKey: "min-32-byte-long-strong-encryption-key"

server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: ["C:/Program Files/kibana-7.13.2-windows-x86_64/config/elasticsearch-ca.pem"]

server.ssl.keystore.path: "C:/Program Files/kibana-7.13.2-windows-x86_64/config/kibana-server.p12"

xpack.security.audit.enabled: true

xpack.security.authc.providers:
  oidc.oidc1:
    order: 1
    realm: "oidc1"
  basic.basic1:
    order: 0

I found out that the error is coming from this part of kibana code, but other than this I have no idea what is going wrong.

    // If it is an authentication response and the users' session state doesn't contain all the necessary information,
    // then something unexpected happened and we should fail because Elasticsearch won't be able to validate the
    // response.
    const {
      nonce: stateNonce = '',
      state: stateOIDCState = '',
      redirectURL: stateRedirectURL = '',
    } = sessionState || {};
    if (!stateNonce || !stateOIDCState || !stateRedirectURL) {
      const message =
        'Response session state does not have corresponding state or nonce parameters or redirect URL.';
      this.logger.debug(message);
      return AuthenticationResult.failed(Boom.badRequest(message));
    }

I am using self-signed licenses created by the elasticsearch certificate tool:
./bin/elasticsearch-certutil http

Could you please help?
Thank you

Hi Kosta,

Would you mind explaining how you try to authenticate with OIDC ( as in what steps do you take in your browser ? )

  • Do you have a single Kibana instance or more than one ?
  • You need to have configured the redirect_uri value in your OP too. Did you set its value to "exactly" https://localhost:5601/api/security/oidc/implicit too ?

Hello Ioanni,
thank you for your reply.

My future intention is to integrate kibana visualizations into another application via IFRAMES, but for now I am just trying to achieve kibana/elasticsearch authentication via OIDC. Therefore, I have a local setup in which the configuration points to the respective authorization endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize", in order to achieve authentication with Azure AD B2C.

The steps that I follow in the browser are:

  1. Go to the skibana login page at: 127.0.0.1:5601/login?next=%2Fapp%2Fhome#/ where I have two login options: basic and oidc
  2. Click at the OIDC login option, therefore I get redirected to the "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize" authentication page.
  3. Enter credentials and click Sign-in, therefore I get redirected to this localhost:5601/api/security/oidc/callback page with this 401 {"statusCode":401,"error":"Unauthorized","message":"Response session state does not have corresponding state or nonce parameters or redirect URL."} error though.

I have to say that in the first and third step, I have this Not secure warning from the browser as my certificate is self-signed and I guess it is not trusted.

I have to also add that, during this process, I am getting this error [error][client][connection] Error: 17040:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1544:SSL alert number 46 in my kibana logs. From some answers that I found in the elastic forums, someone said that this is normal since I have self-signed certificates.

  • I am running a single Kibana instance
  • In the OP, I have configured the redirect_uri values with the exact URLs that exist in the elastisearch configuration as well

Thank you in advance for your time