Failed to authenticate user with OpenID Connect

Elastic Stack Elasticsearch
1

Continuing the discussion from OpenID error after authenticating against AWS Cognito:

I am trying to authenticate kibana users using OIDC. When the user is redirected to kibana after logging in, following error occurs.

[2019-12-20T11:36:57,355][WARN ][o.e.x.s.a.AuthenticationService] [X556UQK] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to get user information from the UserInfo endpoint.]; nested: IllegalStateException[Error merging ID token and userinfo claim value for claim [email_verified]. Cannot merge [java.lang.Boolean] with [java.lang.String]];)

2

As the error indicates, AWS Cognito returns the value for the email_verified claim as a boolean in the ID Token and as a string in the Userinfo response. We consider the same claim with different value types to be an error as there is no way for us to know whether this is supposed to be a boolean or a string and thus we fail the login flow.

I suggest you open a support ticket with AWS to report their behavior, I dont think there is a reason to not fix this on their side.

In the meantime, you can probably just comment out the op.userinfo_endpoint in your elasticsearch configuration, assuming all the claims you want are already in the ID Token

HTH

3

To be clear the correct type is the one in the ID Token, as the email_verified claim is defined to be boolean in the specification

4

I am facing the same issue so I commented out op.userinfo_endpoint as per your suggestion but now I am getting 403 forbidden error after authentication.. Is it because of commenting out userinfo ?

5

We can't say without any additional information from you. Please open a new topic and add your logs and configuration

6

Please find below the logs from elasticsearch after authenticating with aws cognito

OpenID Connect Provider redirected user to [/api/security/v1/oidc?code=]
[2020-02-06T13:57:06,502][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Received Token Response from OP with status [200] and content [{"id_token":"","expires_in":3600,"token_type":"Bearer"}]
[2020-02-06T13:57:06,526][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Successfully exchanged code for ID Token: [com.nimbusds.jwt.SignedJWT@15333bdc] and Access Token []
[2020-02-06T13:57:06,560][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Received and validated the Id Token for the user: [{"at_hash":"SOt6DfjuG3jjIBf00BSRig","sub":"","cognito:groups":["kibana-users"],"email_verified":true,"iss":"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_bBxqRAHER","cognito:username":"piyush.a.kashyap","nonce":"","cognito:roles":["arn:aws:iam:::role/cognito_authenticated"],"aud":"","token_use":"id","auth_time":1580977626,"exp":1580981226,"iat":1580977626,"email":"piyush.a.kashyap@organization.com"}]
[2020-02-06T13:57:06,561][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] OP returned an access token but the UserInfo endpoint is not configured.

I am using following rolemapping with OIDC:-
curl --user elastic:123456 -X PUT "localhost:9200/_security/role_mapping/cloud-oidc?pretty" -H 'Content-Type: application/json' -d'
{
"roles": [ "kibana_dashboard_only_user" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "cloud-oidc" } },
{ "field": { "groups": "cognito:groups" } }
] }
}
'

Please let me know if you find any issue in the logs or role..

7

Please open a new issue as instructed and provide all the information you were requested to. You didn't show us your realm configuration.

8

I have opened a new ticket:- Getting 403 forbidden error on User authentication with OpenID connect

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.