Error 401 when authenticating with OpenIDConnect

Hello everyone,

I am getting this error message after trying to authenticate with OIDC.

{"statusCode":401,"error":"Unauthorized","message":"Response session state does not have corresponding state or nonce parameters or redirect URL."}

My setup is:

elasticsearch.yml

cluster.name: my-application
node.name: node1


xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

logger.org.elasticsearch.discovery: DEBUG
xpack.security.audit.enabled: true


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "C:/Program Files/elasticsearch-7.13.2/config/http.p12"

xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "fcb5c4ba-9a56-4cb0-bd15-1182cf3ef6fa"  
  rp.response_type: id_token
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/implicit"
  op.issuer: "https://<Login-Provider>"
  op.authorization_endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize"
  op.token_endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/token"
  op.jwkset_path: "https://<Login-Provider>/b2c_1_signin/discovery/v2.0/keys"
  # op.userinfo_endpoint: "https://op.example.org/oauth2/v1/userinfo"
  # op.endsession_endpoint: "https://op.example.org/oauth2/v1/logout"
  # rp.post_logout_redirect_uri: "https://kibana.example.org:5601/logged_out"
  claims.principal: sub
  #claims.groups: ""

kibana.yml

elasticsearch.hosts: ["https://localhost:9200"]


elasticsearch.username: "kibana_system"

xpack.security.sameSiteCookies: "None"
xpack.security.secureCookies: true

server.cors.enabled: true
#server.cors.origin: ["*"]

xpack.encryptedSavedObjects:
  encryptionKey: "min-32-byte-long-strong-encryption-key"

server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: ["C:/Program Files/kibana-7.13.2-windows-x86_64/config/elasticsearch-ca.pem"]

server.ssl.keystore.path: "C:/Program Files/kibana-7.13.2-windows-x86_64/config/kibana-server.p12"

xpack.security.audit.enabled: true

xpack.security.authc.providers:
  oidc.oidc1:
    order: 1
    realm: "oidc1"
  basic.basic1:
    order: 0

I found out that the error is coming from this part of kibana code, but other than this I have no idea what is going wrong.

    // If it is an authentication response and the users' session state doesn't contain all the necessary information,
    // then something unexpected happened and we should fail because Elasticsearch won't be able to validate the
    // response.
    const {
      nonce: stateNonce = '',
      state: stateOIDCState = '',
      redirectURL: stateRedirectURL = '',
    } = sessionState || {};
    if (!stateNonce || !stateOIDCState || !stateRedirectURL) {
      const message =
        'Response session state does not have corresponding state or nonce parameters or redirect URL.';
      this.logger.debug(message);
      return AuthenticationResult.failed(Boom.badRequest(message));
    }

I am using self-signed licenses created by the elasticsearch certificate tool:
./bin/elasticsearch-certutil http

Could you please help?
Thank you

Hi Kosta,

Would you mind explaining how you try to authenticate with OIDC ( as in what steps do you take in your browser ? )

  • Do you have a single Kibana instance or more than one ?
  • You need to have configured the redirect_uri value in your OP too. Did you set its value to "exactly" https://localhost:5601/api/security/oidc/implicit too ?

Hello Ioanni,
thank you for your reply.

My future intention is to integrate kibana visualizations into another application via IFRAMES, but for now I am just trying to achieve kibana/elasticsearch authentication via OIDC. Therefore, I have a local setup in which the configuration points to the respective authorization endpoint: "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize", in order to achieve authentication with Azure AD B2C.

The steps that I follow in the browser are:

  1. Go to the skibana login page at: 127.0.0.1:5601/login?next=%2Fapp%2Fhome#/ where I have two login options: basic and oidc
  2. Click at the OIDC login option, therefore I get redirected to the "https://<Login-Provider>/b2c_1_signin/oauth2/v2.0/authorize" authentication page.
  3. Enter credentials and click Sign-in, therefore I get redirected to this localhost:5601/api/security/oidc/callback page with this 401 {"statusCode":401,"error":"Unauthorized","message":"Response session state does not have corresponding state or nonce parameters or redirect URL."} error though.

I have to say that in the first and third step, I have this Not secure warning from the browser as my certificate is self-signed and I guess it is not trusted.

I have to also add that, during this process, I am getting this error [error][client][connection] Error: 17040:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1544:SSL alert number 46 in my kibana logs. From some answers that I found in the elastic forums, someone said that this is normal since I have self-signed certificates.

  • I am running a single Kibana instance
  • In the OP, I have configured the redirect_uri values with the exact URLs that exist in the elastisearch configuration as well

Thank you in advance for your time

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.