I have enabled Kibana login from wso2 API manager.
below I have provided Elastic configuration file.
I am following instruction to configure wso2 and kibana- Log in to Elastic Stack with WSO2 Identity Server with OAuth2/OIDC | by Shan Chathusanda Jayathilaka | Medium
But when i login on Kibana first time i am getting unauthenticate error, when i try to login second time in same session, that is sucessfull login.
Not sure what is happening first time.
I have provided logs below, Please help.
Elastic version - 8.6.1
HAR file when user unauthenticated in browser -
Elastic logs -
[2023-10-13T05:10:06.822-05:00][INFO ][plugins.security.routes] Logging in with provider "oidc1" (oidc)
[2023-10-13T05:10:17,633][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] OpenID Connect Provider redirected user to [/api/security/oidc/callback?code=71e827b7-5c1f-35fa-b06e-35e27d869d1c&session_state=dfd4eac40cc59c7e5adacac04d12661520a0359ae7033c48bf33f9fbb34a7cc0.3EfOSKqASdmw-a2VOGnK4Q&state=mVIJmoqJWPu0I6tAj1Rul6D7KYjhNWZhNAiQQY61F7A]. Expected Nonce is [n7pvW46f0ddMsrIeeyIg4r6XgMvWQoq-cNCiF6NRc20] and expected State is [mVIJmoqJWPu0I6tAj1Rul6D7KYjhNWZhNAiQQY61F7A]
[2023-10-13T05:10:17,633][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] OpenID Connect Provider redirected user to [/api/security/oidc/callback?code=71e827b7-5c1f-35fa-b06e-35e27d869d1c&session_state=dfd4eac40cc59c7e5adacac04d12661520a0359ae7033c48bf33f9fbb34a7cc0.3EfOSKqASdmw-a2VOGnK4Q&state=mVIJmoqJWPu0I6tAj1Rul6D7KYjhNWZhNAiQQY61F7A]. Expected Nonce is [n7pvW46f0ddMsrIeeyIg4r6XgMvWQoq-cNCiF6NRc20] and expected State is [mVIJmoqJWPu0I6tAj1Rul6D7KYjhNWZhNAiQQY61F7A]
[2023-10-13T05:10:18,644][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] effective HTTP connection keep-alive: [60000]ms
[2023-10-13T05:10:18,644][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] effective HTTP connection keep-alive: [60000]ms
[2023-10-13T05:10:18,645][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] Successfully exchanged code for ID Token [com.nimbusds.jwt.SignedJWT@4bcaaeaa] and Access Token [9023]
[2023-10-13T05:10:18,645][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] Successfully exchanged code for ID Token [com.nimbusds.jwt.SignedJWT@4bcaaeaa] and Access Token [9023]
[2023-10-13T05:10:18,645][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] ID Token Header: {"x5t":"YmVlMjY0ZTExNWIwOWYyZDA0MzMyY2Q4NjY1NWYwOTBlM2E4NmJhNjNhMTlmMmZkN2Q1NTVlOGNkYWYwYTBlMQ","kid":"YmVlMjY0ZTExNWIwOWYyZDA0MzMyY2Q4NjY1NWYwOTBlM2E4NmJhNjNhMTlmMmZkN2Q1NTVlOGNkYWYwYTBlMQ_RS256","alg":"RS256"}
[2023-10-13T05:10:18,645][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] ID Token Header: {"x5t":"YmVlMjY0ZTExNWIwOWYyZDA0MzMyY2Q4NjY1NWYwOTBlM2E4NmJhNjNhMTlmMmZkN2Q1NTVlOGNkYWYwYTBlMQ","kid":"YmVlMjY0ZTExNWIwOWYyZDA0MzMyY2Q4NjY1NWYwOTBlM2E4NmJhNjNhMTlmMmZkN2Q1NTVlOGNkYWYwYTBlMQ_RS256","alg":"RS256"}
[2023-10-13T05:10:18,647][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] Received and validated the Id Token for the user: [{"at_hash":"oBG44NeB9WZC9jgyRC5axw","sub":"abc","amr":["BasicAuthenticator"],"iss":"https://m/oauth2/token","groups":["Internal],"given_name":["."," abc"],"nonce":"n7pvW46f0dn7pvW46f0dddMdsrIeeyIg4r6XgMvWQoqddMdsrIeeyIg4r6XgMvWQoq-cNCiF6NRc20","aud":"a3xWdduyoswA8rQsjbmghsz6LJyfoa","c_hash":"tKEd3-o6dqzNqx9P5LPTweww","nbf":1697191817,"azp":"a3xWuyoswA8rQsjbmghsz6LJyfoa","exp":1697195417,"iat":1697191817,"email":"abc.com"}]
[2023-10-13T05:10:18,647][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] Received and validated the Id Token for the user: [{"at_hash":"oBG44NeB9WZC9jgyRC5axw","sub":"abc","amr":["BasicAuthenticator"],"iss":"https://.com/oauth2/token","groups":["Internal],"given_name":["."," abc"],"nonce":"n7pvW46f0ddMsrIen7pvW46f0dddMdsrIeeyIg4r6XgMvWQoqeyIg4r6XgMvWQoq-cNCiF6NRc20","aud":"a3xWuyoswA8ddrQsjbmghsz6LJyfoa","c_hash":"tKdE3-od6qzNqx9P5LPTweww","nbf":1697191817,"azp":"a3xWuyoswA8rQsjbmghsz6LJyfoa","exp":1697195417,"iat":1697191817,"email":"abc.com"}]
[2023-10-13T05:10:18,647][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] OP returned an access token but the UserInfo endpoint is not configured.
[2023-10-13T05:10:18,647][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [abc] OP returned an access token but the UserInfo endpoint is not configured.
Elastic config file -
Enable security features
#xpack.security.autoconfiguration.enabled: true
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.enrollment.enabled: false
xpack.security.authc.token.enabled: true
Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: false
keystore.path: certs/http.p12
Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: false
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
Create a new cluster with the current node only
Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["abc"]
Allow HTTP API connections from anywhere
Connections are encrypted and require user authentication
http.host: 0.0.0.0
Allow other nodes to join the cluster from anywhere
Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
ingest.geoip.downloader.enabled: false
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "aaaaaaaaaaaaaaaaaaaa"
rp.response_type: code
rp.redirect_uri: "http://abc:5601/api/security/oidc/callback"
#op.issuer: "https://abc:9443/oauth2/token"
op.issuer: "https://abc/oauth2/token"
op.authorization_endpoint: "https://abc:9443/oauth2/authorize"
op.token_endpoint: "https://abcl:9443/oauth2/token"
op.jwkset_path: "https://abc:9443/oauth2/jwks"
op.endsession_endpoint: "https://abc:9443/oidc/logout"
op.userinfo_endpoint: "https://abc:9443/oauth2/userinfo"
rp.post_logout_redirect_uri: "http://abc:5601/security/logged_out"
claims.principal: sub
claims.groups: groups
ssl.verification_mode: none