Keycloak authentifaction failure

kibana :

image743×519 18.2 KB

elasticsearch exception:[Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token)]

docker-compose.yml :

kibana :

image743×519 18.2 KB

elasticsearch exception:[Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token)]

version: '3.8'

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0
    container_name: elasticsearch
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data
      - ./elastconf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastconf/jwkset.json:/usr/share/elasticsearch/config/jwkset.json:ro
    ports:
      - 9200:9200
    networks:
      - elk
    environment:
      - discovery.type=single-node
   

  kibana:
    depends_on:
      - elasticsearch
    image: docker.elastic.co/kibana/kibana:8.12.0
    container_name: kibana
    volumes:
      - kibana-data:/usr/share/kibana/data
      - ./elastconf/kibana.yml:/usr/share/kibana/config/kibana.yml
      - ./elastconf/ca/ca.crt:/usr/share/kibana/ca/ca.crt
      - ./elastconf/ca/ca.key:/usr/share/kibana/ca/ca.key
    ports:
      - 5601:5601
    networks:
      - elk
   
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200

  postgres:
    image: postgres
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    networks: 
      - elk

  keycloak:
    image: quay.io/keycloak/keycloak
    container_name: keycloak_ui
    volumes:
      - keycloak-data:/opt/jboss/keycloak/standalone/data
      - keycloak-themes:/opt/keycloak/themes
      - ./kyconf/certs:/opt/keycloak/tls/certs
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - DB_VENDOR=POSTGRES
      - DB_ADDR=postgres
      - DB_DATABASE=keycloak
      - DB_USER=keycloak
      - DB_SCHEMA=public
      - DB_PASSWORD=password
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=Pa55w0rd
      - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/tls/certs/localhostcert.pem
      - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/tls/certs/localhostkey.pem
      
    ports:
      - 8045:8080
      - 8845:8443
    depends_on:
      - postgres
    networks: 
      - elk
    command: start-dev

volumes:
  elasticsearch-data:
    driver: local
  kibana-data:
    driver: local
  keycloak-data:
    driver: local
  keycloak-themes:
    driver: local
  postgres_data:
    driver: local

networks:
  elk:
    driver: bridge

elasticsearch.yml:

cluster.name: "docker-cluster"
network.host: 0.0.0.0

xpack.security.enabled: true

xpack.security.authc.token.enabled: true
xpack.security.audit.enabled: false

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  op.issuer: "http://keycloak:8080/realms/oidc1"
  op.authorization_endpoint: "https://localhost:8845/realms/oidc1/protocol/openid-connect/auth"
  op.token_endpoint: "http://keycloak:8080/realms/oidc1/protocol/openid-connect/token"
  op.jwkset_path: "/usr/share/elasticsearch/config/jwkset.json"
  op.userinfo_endpoint: "http://localhost:8045/realms/oidc1/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "http://localhost:8045/realms/oidc1/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "https:/localhost:5601/logged_out"
  claims.principal: name
  ssl.verification_mode: none

tcpdump capture shows that there is any network issue between the containers

Hello,

You need to share the Elasticsearch logs, check your logs and share the error lines, you will have more lines about this issue.

Also, do you have a license for your Elasticsearch cluster or is using the trial license?

Hello,
am using a trial license for a demo purpose and concerning the logs this is what i only get related to the issue

{"@timestamp":"2024-02-22T14:39:09.841Z", "log.level": "WARN", "message":"Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to parse or validate the ID Token)", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"I/O dispatcher 1","log.logger":"org.elasticsearch.xpack.security.authc.RealmsAuthenticator","trace.id":"ea2cc15e82a79c4398af7043ae54ce39","elasticsearch.cluster.uuid":"cevFnnGERwiWYw4CSvwP-w","elasticsearch.node.id":"eWIRnAOhSLS06tCfQKWS6g","elasticsearch.node.name":"c2d5c69c6c62","elasticsearch.cluster.name":"docker-cluster"}

Hi @bouziSee if this helps you with anything:

https://discuss.elastic.co/t/not-able-to-sign-in-using-keycloak-in-kibana/318435r22 !

hello @wsouza , it did not help unfortunately

Hi @bouzir22 taking a look at your issue, it may be better post for Elastic Stack. Specifically elastic-stack-security because they handle our authentication flows. Thanks!

ty @Michael_Olorunnisola , done ..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.