Error while doing oidc - nested: ParseException[Missing JSON object member with key "token_type"

yash_nigam · October 25, 2019, 7:21am

Hello Team,
We are using platinum-tier-xpack-trial-license

While using oidc authentication without Kibana- following steps mentioned here:
https://www.elastic.co/guide/en/elasticsearch/reference/7.3/oidc-without-kibana.html

getting following error while hitting api

POST /_security/oidc/authenticate

we get following error while doing this as response to api
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate]",
        "header" : {
          "WWW-Authenticate" : [
            "Bearer realm=\"security\"",
            "ApiKey",
            "Basic realm=\"security\" charset=\"UTF-8\""
          ]
        }
      }

and the following in logs

[2019-10-25T01:33:59,319][WARN ][o.e.x.s.a.AuthenticationService] [elkpoc-1] 
Authentication to realm oidc2 failed - Failed to authenticate user with OpenID Connect 
(Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint. 
Unable to parse Token Response]; nested: ParseException[Missing JSON object member with key "token_type"];)

-----below are detailed steps -------

We want to authenticate our api calls to elastic. For this we are using the following guide.
https://www.elastic.co/guide/en/elasticsearch/reference/7.3/oidc-without-kibana.html

The oidc provider is our enterprise oidc provider.

As required, we have done following steps:
1) Register the RP with an OpenID Connect Provider
registered both our custom web app as well as elastic api
https://:9200/api/security/v1/oidc
https:///services/platform

2) OpenID Connect Realm
Created openid connect realm

3) Service Account user for accessing the APIs
using elastic user which has the superuser access

4) Handling the authentication flow
4.1) Make an HTTP POST request to _security/oidc/prepare

We make the call and successfully get the response as
< {
"redirect" : "https://{oidc provider url }?scope=openid
&response_type=code
&redirect_uri={our custom url}/Fservices/platform
&state={state id}
&client_id={client id}}",
"state" : "{state id}}",
"nonce" : "nonce id"
} >

4.2) Handle the response to /_security/oidc/prepare
we then hit the redirect url above in browser, authenticate using our enterprise id, and get redirected back
to the url mentioned in redirect_uri above.

it is returned as following:
https://{custom url}/services/platform/client?scope=openid
&code={code id}
&state={state id}}

4.3) Handle a subsequent response from the OP.

once we are redirected back to our custom url mentioned in redirect uri
we use that url and the state and nonce parameters to hit the authenticate api

POST /_security/oidc/authenticate
{
"redirect_uri" : "https://{custom url}/services/platform/client?scope=openid",
"state" : "{state id}",
"nonce" : "{nonce id}"
}

we get following error while doing this as response to api
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "unable to authenticate user [] for action [cluster:admin/xpack/security/oidc/authenticate]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"ApiKey",
"Basic realm="security" charset="UTF-8""
]
}
}

and the following in logs

[2019-10-25T01:33:59,319][WARN ][o.e.x.s.a.AuthenticationService] [elkpoc-1]
Authentication to realm oidc2 failed - Failed to authenticate user with OpenID Connect
(Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.
Unable to parse Token Response]; nested: ParseException[Missing JSON object member with key "token_type"]

ikakavas · October 25, 2019, 7:35am

Please enable TRACE logging for OpenID Connect in Elasticsaerch. You can do it for example via Kibana dev tools with :

PUT /_cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.oidc": "trace"
  }
}

This will print the response to the token request from your OpenID Connect Provider, that will contain the error message indicating why this fails.

yash_nigam · October 25, 2019, 9:33am

Thanks for the quick update Ioannis,

I have put tracing on.
I was using oidc2 realm(we have 2 realms created, 1 and 2)
Then i switched the correct setting ins oidc1 and it started working.

However now the Kibana url stopped working when i put it in oidc2.
So looks like 2 oidc cannot work at a time.

Below is the setting:

< xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: ""
rp.response_type: code
rp.redirect_uri: ""
op.issuer: ""
op.jwkset_path: oidc/jwkset.json
op.authorization_endpoint: ""
op.token_endpoint: ""
op.userinfo_endpoint: ""
claims.principal: email

xpack.security.authc.realms.oidc.oidc2:
  order: 2
  rp.client_id: "<id>"
  rp.response_type: code
  op.issuer: "<issuer url>"
  rp.redirect_uri: "<webapp redirect_uri>"
  op.jwkset_path: oidc/jwkset.json
  op.authorization_endpoint: "<url>"
  op.token_endpoint: "<url>"
  op.userinfo_endpoint: "<url>"
  claims.principal: email

It seems it's taking oidc1 always and not considering oidc2 while executing the /authenticate request.

Is there any method to point the /authenticate to oidc2 when we are opening kibana

Currently we are on 7.2.
Do we need to upgrade to 7.4 for this?

ikakavas · October 25, 2019, 9:49am

Hi @yash_nigam,

Yes, it is unfortunate but you are hitting https://github.com/elastic/elasticsearch/issues/45331 which was resolved in https://github.com/elastic/elasticsearch/pull/45767

If you can upgrade to 7.4, then you can indicate which realm you want to use by passing the realm parameter with the name of the realm when you call /_security/oidc/authenticate

system · November 22, 2019, 9:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.