Getting 403 forbidden error on User authentication with OpenID connect

I am trying to authenticate kibana users using OpenID connect and I am getting 403 forbidden error.
Please find below the realm configuration :-
order: 0
rp.client_id: ""
rp.response_type: code
rp.redirect_uri: "https://localhost:5601/api/security/v1/oidc"
op.issuer: ""
op.authorization_endpoint: ""
op.token_endpoint: ""
// op.userinfo_endpoint: ""
op.endsession_endpoint: ""
rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
claims.principal: sub
claims.groups: "cognito:groups"

Elasticsearch logs:-
OpenID Connect Provider redirected user to [/api/security/v1/oidc?code=]
[2020-02-06T13:57:06,502][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Received Token Response from OP with status [200] and content [{"id_token":"","expires_in":3600,"token_type":"Bearer"}]
[2020-02-06T13:57:06,526][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Successfully exchanged code for ID Token: [com.nimbusds.jwt.SignedJWT@15333bdc] and Access Token []
[2020-02-06T13:57:06,560][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] Received and validated the Id Token for the user: [{"at_hash":"SOt6DfjuG3jjIBf00BSRig","sub":"","cognito:groups":["kibana-users"],"email_verified":true,"iss":"","cognito:username":"piyush.a.kashyap","nonce":"","cognito:roles":["arn:aws:iam:::role/cognito_authenticated"],"aud":"","token_use":"id","auth_time":1580977626,"exp":1580981226,"iat":1580977626,"email":""}]
[2020-02-06T13:57:06,561][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [node-1] OP returned an access token but the UserInfo endpoint is not configured.

Role mapping:-
curl --user elastic:123456 -X PUT "localhost:9200/_security/role_mapping/cloud-oidc?pretty" -H 'Content-Type: application/json' -d'
"roles": [ "kibana_dashboard_only_user" ],
"enabled": true,
"rules": { "all": [
{ "field": { "": "cloud-oidc" } },
{ "field": { "groups": "cognito:groups" } }
] }

Please let me know if there is any issue in the configuration...

Tells elasticsearch to map the values of the claim with name cognito:groups to the groups property of the elasticsearch user.
By that effect , your authenticating user has a groups user property that has the value kibana-users , as this is the value of the cognito:groups claim.

Role mappings now, work with user properties, so you need a rule that says that whoever has a value kibana-users in their groups user property, should get the roles.

In summary, you need to change

{ "field": { "groups": "cognito:groups" } }


{ "field": { "groups": "kibana-users" } }

Thanks ikakavas, It worked :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.