Hi team! We are running Elastic Search on GKE, and we're working in integrating with our organization's own IDaaS. We are using Anthos Service Mesh, and asm-user-auth to communicate with our internal OIDC provider.
After a lot of trial and error, when we open our Kibana URL, an authentication window for our IDaaS comes up, we introduce our credentials, and we get redirected back to kibana, where the loading screen shows. A few seconds later, we get an error message in the browser:
Authentication failed, please contact your system administrator.
We got that error before, but then we got clear error messages in our kibana/elastic workloads in GKE, which gave us something to work with.
Now, however, that 401 error we see only in the browser, no other logs showing that 401 error in the cloud console, neither in elastic or asm-user-auth workloads. So we're kind of stumped. Does this sound familiar to anyone? Are there any logs we can check or enable that would shed some light on the issue?
Here's our elasticsearch oidc config, very similar to what's on Elastic's documentation: https://www.elastic.co/guide/en/elasticsearch/reference/8.13/oidc-guide.html
elasticsearch.yml
xpack:
security:
authc:
realms:
oidc:
global:
order: 0
rp.client_id: "Our client id"
rp.response_type: "code"
rp.requested_scopes: ["openid", "email"]
rp.redirect_uri: "KIBANA_ENDPOINT_URL/api/security/oidc/callback"
op.issuer: "https://dev.****.**.com/am/oauth/global"
op.authorization_endpoint: "https://dev.****.**.com/am/oauth/global/authorize"
op.token_endpoint: "https://dev.****.**.com/am/oauth/global/access_token"
op.userinfo_endpoint: "https://dev.****.**.com/am/oauth/global/user_info"
op.endsession_endpoint: "https://dev.****.**.com/am/oauth/global/connect/endSession"
rp.post_logout_redirect_uri: ""KIBANA_ENDPOINT_URL/api/security/security/logged_out""
op.jwkset_path: "https://dev.****.**.com/am/oauth/global/connect/jwk_uri"
claims.principal: email
kibana.yml
xpack.security.authc.providers:
oidc.global:
order: 0
realm: global
description: "Log in with IDaaS"
We also performed role mapping as suggested in your documentation:
POST /_security/role_mapping/oidc_kibana
{
"enabled": true,
"roles": [ "superuser" ],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "global"
}
}
]
},
"metadata": { "version": 1 }
}
Thanks in advance