Getting 403 forbidden error on User authentication with OpenID connect

piyush_kashyap · February 6, 2020, 9:03am

I am trying to authenticate kibana users using OpenID connect and I am getting 403 forbidden error.
Please find below the realm configuration :-
xpack.security.authc.realms.oidc.cloud-oidc:
order: 0
rp.client_id: ""
rp.response_type: code
rp.redirect_uri: "https://localhost:5601/api/security/v1/oidc"
op.issuer: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_bBxqRAHER"
op.authorization_endpoint: "https://chatbot-users.auth.us-east-1.amazoncognito.com/oauth2/authorize"
op.token_endpoint: "https://chatbot-users.auth.us-east-1.amazoncognito.com/oauth2/token"
op.jwkset_path: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_bBxqRAHER/.well-known/jwks.json
// op.userinfo_endpoint: "https://chatbot-users.auth.us-east-1.amazoncognito.com/oauth2/userInfo"
op.endsession_endpoint: "https://chatbot-users.auth.us-east-1.amazoncognito.com/logout"
rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
claims.principal: sub
claims.groups: "cognito:groups"

Elasticsearch logs:-
OpenID Connect Provider redirected user to [/api/security/v1/oidc?code=]
[2020-02-06T13:57:06,502][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Received Token Response from OP with status [200] and content [{"id_token":"","expires_in":3600,"token_type":"Bearer"}]
[2020-02-06T13:57:06,526][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Successfully exchanged code for ID Token: [com.nimbusds.jwt.SignedJWT@15333bdc] and Access Token []
[2020-02-06T13:57:06,560][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Received and validated the Id Token for the user: [{"at_hash":"SOt6DfjuG3jjIBf00BSRig","sub":"_{","cognito:groups":["kibana-users"],"email_verified":true,"iss":"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_bBxqRAHER","cognito:username":"piyush.a.kashyap","nonce":"","cognito:roles":["arn:aws:iam:::role/cognito_authenticated"],"aud":"","token_use":"id","auth_time":1580977626,"exp":1580981226,"iat":1580977626,"email":"piyush.a.kashyap@organization.com"}]

[2020-02-06T13:57:06,561][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] OP returned an access token but the UserInfo endpoint is not configured.}

Role mapping:-
curl --user elastic:123456 -X PUT "localhost:9200/_security/role_mapping/cloud-oidc?pretty" -H 'Content-Type: application/json' -d'
{
"roles": [ "kibana_dashboard_only_user" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "cloud-oidc" } },
{ "field": { "groups": "cognito:groups" } }
] }
}
'

Please let me know if there is any issue in the configuration...

ikakavas · February 6, 2020, 9:19am

Tells elasticsearch to map the values of the claim with name cognito:groups to the groups property of the elasticsearch user.
By that effect , your authenticating user has a groups user property that has the value kibana-users , as this is the value of the cognito:groups claim.

Role mappings now, work with user properties, so you need a rule that says that whoever has a value kibana-users in their groups user property, should get the roles.

In summary, you need to change

{ "field": { "groups": "cognito:groups" } }

to

{ "field": { "groups": "kibana-users" } }

piyush_kashyap · February 7, 2020, 6:33am

Thanks ikakavas, It worked

system · March 6, 2020, 6:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.