Keycloak Elasticsearch/Kibana Configuration

pkward · March 14, 2022, 1:29pm

Hi,

I'm having trouble configuring Kibana and Keycloak to use SSO. I am getting an error like the one below:

Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.

pkward · March 14, 2022, 1:31pm

My 'Elasticsearch.yml' configuration is:

xpack.security.authc.realms.oidc.oidc1:
  order: 1
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "http://kibana-url:5601/api/security/oidc/callback"
  op.issuer: "https://keycloak-url:8443/auth/realms/kibana"
  op.authorization_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/auth"
  op.token_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/token"
  op.jwkset_path: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/certs"
  op.userinfo_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "http://kibana-url:5601/logged_out"
  claims.principal: preferred_username
  ssl.verification_mode: none

ikakavas · March 14, 2022, 1:36pm

Can you share the relevant part of the logs from elasticsearch.log too ? There will be much more information there around why this fails

pkward · March 14, 2022, 1:39pm

Yes, here it is.

[2022-03-14T13:25:59,692][WARN ][o.e.x.s.a.RealmsAuthenticator] [master] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: ConnectException[Timeout connecting to [/keycloak-url:8443]];)

ikakavas · March 14, 2022, 1:41pm

Elasticsearch tries to communicate with https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/token and it times out. Are you sure that keycloak is running and functional and accessible in the URL that you configure there ? ( I assume that keycloack-url is an obfuscation of the actual URL )

pkward · March 14, 2022, 1:44pm

Yes, Keycloak is running but when I try to connect to the token URI from my web browser I get an internal server error. Correct, the IP is obfuscated.

ikakavas · March 14, 2022, 3:41pm

Then it seems to be a problem with keycloak and not the Elastic Stack. Maybe there is a relevant forum or support portal where you can get better assistance with fixing keycloak ? Not sure if we can offer much assistance here unfortunately

pkward · March 14, 2022, 3:44pm

Does Kibana have to be encrypted at the application layer https?

ikakavas · March 16, 2022, 7:42am

No, this is not necessary, but this is not what the problem you are facing at the moment as far as I can tell.

system · April 13, 2022, 7:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Not able to sign in using Keycloak in Kibana Kibana elastic-stack-security	10	1994	December 7, 2022
Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect Kibana elastic-stack-security , docker	2	912	July 13, 2023
Using OIDC authenticated browser session to query Elasticsearch API Elasticsearch	1	952	March 26, 2020
Keycloak authentifaction failure Elasticsearch elastic-stack-security	7	224	March 21, 2024
Trouble getting OpenID Connect set up using Keycloak -- receiving error message Kibana elastic-stack-security , docker	2	268	May 2, 2024

Keycloak Elasticsearch/Kibana Configuration

Related topics