Hi,
we configured Elastic Cloud on Kubernetes (version 1.1.2) on our own Bare Metal Kubernetes Stack.
We set up Elasticsearch (version 7.8.0) with an OpenID Connect "oidc" realm with DEX as provider. We called the realm "dex":
[...]
security:
authc:
token.enabled: true
realms:
oidc:
dex:
order: 0
op:
issuer: "https://dex.test/dex"
authorization_endpoint: "https://dex.test/dex/auth"
token_endpoint: "https://dex.test/dex/token"
jwkset_path: "https://dex.test/dex/keys"
userinfo_endpoint: "https://dex.test/dex/userinfo"
rp:
# The "rp.client_secret" is injected into keystore from secret.
client_id: "kibana"
redirect_uri: "https://ip removed:443/api/security/v1/oidc/callback"
response_type: code
signature_algorithm: RS256
requested_scopes:
- groups
- openid
- profile
- email
- federated:id
claims:
principal: name
groups: groups
mail: email
To make Kibana (version 7.8.0) use this OpenId Connect realm we added to the Kibana config:
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: "dex"
# Basic Access is required e.g. to utilize the Kibana API for automated shard allocation with elastic user.
basic.basic1:
order: 1
We experience the following issue:
- Kibana correctly shows the login selections: "Login with oidc/oidc1" and "Login with Elasticsearch" as expected
- Choosing "Log in with oidc/oidc1" redirects to our oidc provider. Completing the login there results in being redirected to Kibana as expected.
- But: Kibana then redirects again to the oidc provider instead of considering the succeeded auth and forward to the Kibana GUI.
We received the following logs from Kibana:
{"type":"log","@timestamp":"2020-07-17T15:06:28Z","tags":"debug","plugins","security","oidc","oidc1"],"pid":6,"message":"Trying to authenticate via state."}
{"type":"log","@timestamp":"2020-07-17T15:06:28Z","tags":["debug","plugins","security","oidc","oidc1"],"pid":6,"message":"Elasticsearch access token is not found in state."}
{"type":"log","@timestamp":"2020-07-17T15:06:28Z","tags":["debug","plugins","security","oidc","oidc1"],"pid":6,"message":"Trying to initiate OpenID Connect authentication."}
{"type":"log","@timestamp":"2020-07-17T15:06:28Z","tags":["debug","plugins","security","oidc","oidc1"],"pid":6,"message":"Redirecting to OpenID Connect Provider with authentication request."}
{"type":"response","@timestamp":"2020-07-17T15:06:28Z","tags":[],"pid":6,"method":"get","statusCode":302,"req":{"url":"/api/security/v1/oidc/callback? code=sdnjxcqizxl73ffik46vmsvvu&state=gtXhZLWuN1p_Dljz9VZSGVCfBiu61MzTuMYkxdSsKrQ","method":"get","headers":{"host":"ip removed","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://dex.test/","dnt":"1","connection":"keep-alive","upgrade-insecure-requests":"1"},"remoteAddress":"ip removed","userAgent":"ip removed","referer":"https://dex.test"},"res":{"statusCode":302,"responseTime":11,"contentLength":9},"message":"GET /api/security/v1/oidc/callback?code=sdnjxcqizxl73ff3k46vmsvvu&state=gtXhZLWuN1p_Dljz9VZSGVCfBiu61MzTuMYkxdSsKrQ 302 11ms - 9.0B"}
In the Elasticsearch log there is literally nothing(!) regarding this oidc login. Even with enabled debug/ trace logging there is no interaction betwen Kibana and Elasticsearch while the login happens.
We expect Elasticsearch to issue an Access Token or something.
Any idea how to let Kibana/ Elasticsearch consider the succeeded OpenID Connect auth and stop forwarding to the oidc provider again and again?
Help is really appreciated!
Thanks,
Tobias