Keycloak Elasticsearch/Kibana Configuration

pkward · March 14, 2022, 1:29pm

Hi,

I'm having trouble configuring Kibana and Keycloak to use SSO. I am getting an error like the one below:

Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.

pkward · March 14, 2022, 1:31pm

My 'Elasticsearch.yml' configuration is:

xpack.security.authc.realms.oidc.oidc1:
  order: 1
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "http://kibana-url:5601/api/security/oidc/callback"
  op.issuer: "https://keycloak-url:8443/auth/realms/kibana"
  op.authorization_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/auth"
  op.token_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/token"
  op.jwkset_path: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/certs"
  op.userinfo_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "http://kibana-url:5601/logged_out"
  claims.principal: preferred_username
  ssl.verification_mode: none

ikakavas · March 14, 2022, 1:36pm

Can you share the relevant part of the logs from elasticsearch.log too ? There will be much more information there around why this fails

pkward · March 14, 2022, 1:39pm

Yes, here it is.

[2022-03-14T13:25:59,692][WARN ][o.e.x.s.a.RealmsAuthenticator] [master] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: ConnectException[Timeout connecting to [/keycloak-url:8443]];)

ikakavas · March 14, 2022, 1:41pm

Elasticsearch tries to communicate with https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/token and it times out. Are you sure that keycloak is running and functional and accessible in the URL that you configure there ? ( I assume that keycloack-url is an obfuscation of the actual URL )

pkward · March 14, 2022, 1:44pm

Yes, Keycloak is running but when I try to connect to the token URI from my web browser I get an internal server error. Correct, the IP is obfuscated.

ikakavas · March 14, 2022, 3:41pm

Then it seems to be a problem with keycloak and not the Elastic Stack. Maybe there is a relevant forum or support portal where you can get better assistance with fixing keycloak ? Not sure if we can offer much assistance here unfortunately

pkward · March 14, 2022, 3:44pm

Does Kibana have to be encrypted at the application layer https?

ikakavas · March 16, 2022, 7:42am

No, this is not necessary, but this is not what the problem you are facing at the moment as far as I can tell.

system · April 13, 2022, 7:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.