Keycloak Elasticsearch/Kibana Configuration

Hi,

I'm having trouble configuring Kibana and Keycloak to use SSO. I am getting an error like the one below:

Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.

My 'Elasticsearch.yml' configuration is:

xpack.security.authc.realms.oidc.oidc1:
  order: 1
  rp.client_id: "kibana"
  rp.response_type: code
  rp.redirect_uri: "http://kibana-url:5601/api/security/oidc/callback"
  op.issuer: "https://keycloak-url:8443/auth/realms/kibana"
  op.authorization_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/auth"
  op.token_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/token"
  op.jwkset_path: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/certs"
  op.userinfo_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/userinfo"
  op.endsession_endpoint: "https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/logout"
  rp.post_logout_redirect_uri: "http://kibana-url:5601/logged_out"
  claims.principal: preferred_username
  ssl.verification_mode: none

Can you share the relevant part of the logs from elasticsearch.log too ? There will be much more information there around why this fails

Yes, here it is.

[2022-03-14T13:25:59,692][WARN ][o.e.x.s.a.RealmsAuthenticator] [master] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: ConnectException[Timeout connecting to [/keycloak-url:8443]];)

Elasticsearch tries to communicate with https://keycloak-url:8443/auth/realms/kibana/protocol/openid-connect/token and it times out. Are you sure that keycloak is running and functional and accessible in the URL that you configure there ? ( I assume that keycloack-url is an obfuscation of the actual URL )

Yes, Keycloak is running but when I try to connect to the token URI from my web browser I get an internal server error. Correct, the IP is obfuscated.

Then it seems to be a problem with keycloak and not the Elastic Stack. Maybe there is a relevant forum or support portal where you can get better assistance with fixing keycloak ? Not sure if we can offer much assistance here unfortunately

Does Kibana have to be encrypted at the application layer https?

No, this is not necessary, but this is not what the problem you are facing at the moment as far as I can tell.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.