Getting 401 errors after accessing Kibana with OIDC

Hi team! We are running Elastic Search on GKE, and we're working in integrating with our organization's own IDaaS. We are using Anthos Service Mesh, and asm-user-auth to communicate with our internal OIDC provider.

After a lot of trial and error, when we open our Kibana URL, an authentication window for our IDaaS comes up, we introduce our credentials, and we get redirected back to kibana, where the loading screen shows. A few seconds later, we get an error message in the browser:

Authentication failed, please contact your system administrator.

We got that error before, but then we got clear error messages in our kibana/elastic workloads in GKE, which gave us something to work with.

Now, however, that 401 error we see only in the browser, no other logs showing that 401 error in the cloud console, neither in elastic or asm-user-auth workloads. So we're kind of stumped. Does this sound familiar to anyone? Are there any logs we can check or enable that would shed some light on the issue?

Here's our elasticsearch oidc config, very similar to what's on Elastic's documentation: https://www.elastic.co/guide/en/elasticsearch/reference/8.13/oidc-guide.html

elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        oidc:
          global:
            order: 0
            rp.client_id: "Our client id"
            rp.response_type: "code"
            rp.requested_scopes: ["openid", "email"]
            rp.redirect_uri: "KIBANA_ENDPOINT_URL/api/security/oidc/callback"
            op.issuer: "https://dev.****.**.com/am/oauth/global"
            op.authorization_endpoint: "https://dev.****.**.com/am/oauth/global/authorize"
            op.token_endpoint: "https://dev.****.**.com/am/oauth/global/access_token"
            op.userinfo_endpoint: "https://dev.****.**.com/am/oauth/global/user_info"
            op.endsession_endpoint: "https://dev.****.**.com/am/oauth/global/connect/endSession"
            rp.post_logout_redirect_uri: ""KIBANA_ENDPOINT_URL/api/security/security/logged_out""
            op.jwkset_path: "https://dev.****.**.com/am/oauth/global/connect/jwk_uri"
            claims.principal: email
          

kibana.yml


xpack.security.authc.providers:
  oidc.global:
    order: 0
    realm: global
    description: "Log in with IDaaS"

We also performed role mapping as suggested in your documentation:

POST /_security/role_mapping/oidc_kibana
{
    "enabled": true,
    "roles": [ "superuser" ],
    "rules" : {
      "all" : [
        {
          "field" : {
            "realm.name" : "global"
          }
        }
      ]
    },
    "metadata": { "version": 1 }
}

Thanks in advance

Also getting this error today after following the instructions to get OIDC working with Microsoft Entra using our Elastic Cloud hosted setup. It's extremely frustrating not to be able to find any logs to get us through this.

We've enabled logging:

"transient": {
    "logger": {
        "org": {
            "elasticsearch": {
               "xpack": {
                   "security" : {
                     "authc" : {
                        "oidc" : "trace"
                    }
                 }
              }
           
           }
        }
    }
}

We've spotted the following

User [ undefined ] is logging out using oidc provider [ name=global ]

Hi team, we've now found some seemingly relevant logs:

"State parameter 'state' could not be used: 'Decryption failed, no keys in the current key set could decrypt the payload"

We've looked but haven't found any specific configuration that could help with the decryption of the state parameter in Elasticsearch. Any ideas?