Keycloak authentifaction failure

bouzir22 · February 22, 2024, 2:44pm

kibana :

elasticsearch exception:[Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token)]

docker-compose.yml :

kibana :

elasticsearch exception:[Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token)]

version: '3.8'

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0
    container_name: elasticsearch
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data
      - ./elastconf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastconf/jwkset.json:/usr/share/elasticsearch/config/jwkset.json:ro
    ports:
      - 9200:9200
    networks:
      - elk
    environment:
      - discovery.type=single-node
   

  kibana:
    depends_on:
      - elasticsearch
    image: docker.elastic.co/kibana/kibana:8.12.0
    container_name: kibana
    volumes:
      - kibana-data:/usr/share/kibana/data
      - ./elastconf/kibana.yml:/usr/share/kibana/config/kibana.yml
      - ./elastconf/ca/ca.crt:/usr/share/kibana/ca/ca.crt
      - ./elastconf/ca/ca.key:/usr/share/kibana/ca/ca.key
    ports:
      - 5601:5601
    networks:
      - elk
   
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200

  postgres:
    image: postgres
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    networks: 
      - elk

  keycloak:
    image: quay.io/keycloak/keycloak
    container_name: keycloak_ui
    volumes:
      - keycloak-data:/opt/jboss/keycloak/standalone/data
      - keycloak-themes:/opt/keycloak/themes
      - ./kyconf/certs:/opt/keycloak/tls/certs
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - DB_VENDOR=POSTGRES
      - DB_ADDR=postgres
      - DB_DATABASE=keycloak
      - DB_USER=keycloak
      - DB_SCHEMA=public
      - DB_PASSWORD=password
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=Pa55w0rd
      - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/tls/certs/localhostcert.pem
      - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/tls/certs/localhostkey.pem
      
    ports:
      - 8045:8080
      - 8845:8443
    depends_on:
      - postgres
    networks: 
      - elk
    command: start-dev

volumes:
  elasticsearch-data:
    driver: local
  kibana-data:
    driver: local
  keycloak-data:
    driver: local
  keycloak-themes:
    driver: local
  postgres_data:
    driver: local

networks:
  elk:
    driver: bridge

elasticsearch.yml:

cluster.name: "docker-cluster"
network.host: 0.0.0.0

xpack.security.enabled: true

xpack.security.authc.token.enabled: true
xpack.security.audit.enabled: false

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  op.issuer: "http://keycloak:8080/realms/oidc1"
  op.authorization_endpoint: "https://localhost:8845/realms/oidc1/protocol/openid-connect/auth"
  op.token_endpoint: "http://keycloak:8080/realms/oidc1/protocol/openid-connect/token"
  op.jwkset_path: "/usr/share/elasticsearch/config/jwkset.json"
  op.userinfo_endpoint: "http://localhost:8045/realms/oidc1/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "http://localhost:8045/realms/oidc1/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "https:/localhost:5601/logged_out"
  claims.principal: name
  ssl.verification_mode: none

tcpdump capture shows that there is any network issue between the containers

leandrojmp · February 22, 2024, 2:47pm

Hello,

You need to share the Elasticsearch logs, check your logs and share the error lines, you will have more lines about this issue.

Also, do you have a license for your Elasticsearch cluster or is using the trial license?

bouzir22 · February 22, 2024, 2:53pm

Hello,
am using a trial license for a demo purpose and concerning the logs this is what i only get related to the issue

{"@timestamp":"2024-02-22T14:39:09.841Z", "log.level": "WARN", "message":"Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token)", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"I/O dispatcher 1","log.logger":"org.elasticsearch.xpack.security.authc.RealmsAuthenticator","trace.id":"ea2cc15e82a79c4398af7043ae54ce39","elasticsearch.cluster.uuid":"cevFnnGERwiWYw4CSvwP-w","elasticsearch.node.id":"eWIRnAOhSLS06tCfQKWS6g","elasticsearch.node.name":"c2d5c69c6c62","elasticsearch.cluster.name":"docker-cluster"}

wsouza · February 22, 2024, 2:58pm

Hi @bouziSee if this helps you with anything:

https://discuss.elastic.co/t/not-able-to-sign-in-using-keycloak-in-kibana/318435r22 !

bouzir22 · February 22, 2024, 3:02pm

hello @wsouza , it did not help unfortunately

Michael_Olorunnisola · February 22, 2024, 3:05pm

Hi @bouzir22 taking a look at your issue, it may be better post for Elastic Stack. Specifically elastic-stack-security because they handle our authentication flows. Thanks!

bouzir22 · February 22, 2024, 3:07pm

ty @Michael_Olorunnisola , done ..

system · March 21, 2024, 3:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.