Trying to integrate Keycloak OIDC with Kibana to allow logins from keycloak users. Upon selecting the "login with keycloak" icon, I am correctly redirected to keycloak to login. after entering the credentials of a keycloak user however, I am redirected back to kibana with a {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
Unless I'm missing something in the docs, the role mapping that I'm using should allow any keycloak user to authenticate as "superuser" and "kibana_admin".
Configs below, obfuscated of course.
kibana.yml
elasticsearch.hosts: ["https://<elasticsearch address>:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "<ES password>"
server.host: "0.0.0.0"
server.port: 5601
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/elastic-certificate.key
certificate: /usr/share/kibana/config/certs/elastic-certificate.pem
xpack.security.encryptionKey: ""
xpack.encryptedSavedObjects.encryptionKey: ""
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/ca/elasticsearch-ca.pem
verificationMode: certificate
xpack.security.enabled: true
xpack.security.authc.providers:
oidc.master:
order: 0
realm: master
description: "Log in with Keycloak"
basic.basic1:
order: 1
elasticsearch.yml
logger.org.elasticsearch.discovery: DEBUG
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.authc.realms.native.local.order: 0
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
oidc.master:
order: 2
rp.client_id: "elastic"
rp.response_type: code
rp.redirect_uri: "https://<kibana url>:5601/api/security/v1/master"
op.issuer: "https://<keycloak url>/auth/realms/master"
op.authorization_endpoint: "https://<keycloak url>/auth/realms/master/protocol/openid-connect/auth"
op.token_endpoint: "https://<keycloak url>/auth/realms/master/protocol/openid-connect/token"
op.jwkset_path: "https://<keycloak url>/auth/realms/master/protocol/openid-connect/certs"
op.userinfo_endpoint: "https://<keycloak url>/auth/realms/master/protocol/openid-connect/userinfo"
op.endsession_endpoint: "https://<keycloak url>/auth/realms/master/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "https://<kibana url>:5601/logged_out"
claims.principal: preferred_username
ssl.verification_mode: none
GET /_security/role_mapping
{
"keycloak": {
"enabled": true,
"roles": ["superuser", "kibana_admin"],
"rules": {
"all": [{
"field": {
"realm.name": "*"
}
}]
},
"metadata": {}
}
}
kibana.log
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["info","plugins","security","routes"],"pid":1726076,"message":"Logging in with provider \"master\" (oidc)"}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","http","server","Kibana","cookie-session-storage"],"pid":1726076,"message":"Error: Unauthorized"}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Trying to perform a login."}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Login has been initiated by a user."}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Trying to initiate OpenID Connect authentication."}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Redirecting to OpenID Connect Provider with authentication request."}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","plugins","security","session","sMrk9yIZU="],"pid":1726076,"message":"Creating a new session."}
{"type":"log","@timestamp":"2021-08-17T17:45:15Z","tags":["debug","plugins","security","session","sMrk9yIZU="],"pid":1726076,"message":"Successfully created a new session."}
{"type":"response","@timestamp":"2021-08-17T17:45:15Z","tags":[],"pid":1726076,"method":"post","statusCode":200,"req":{"url":"/internal/security/login","method":"post","headers":{"host":"<kibana url>:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://<kibana url>:5601/login?msg=LOGGED_OUT","content-type":"application/json","kbn-version":"7.10.2","origin":"https://<kibana url>:5601","content-length":"109","connection":"keep-alive","pragma":"no-cache","cache-control":"no-cache"},"remoteAddress":"<my IP>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0","referer":"https://<kibana url>:5601/login?msg=LOGGED_OUT"},"res":{"statusCode":200,"responseTime":865,"contentLength":9},"message":"POST /internal/security/login 200 865ms - 9.0B"}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Trying to authenticate user request to /api/security/v1/master?state=<state key>&session_state=<session state>&code=<code state>.<session state>.<code key>."}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Trying to authenticate via state."}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","oidc","master"],"pid":1726076,"message":"Elasticsearch access token is not found in state."}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","basic","basic1"],"pid":1726076,"message":"Trying to authenticate user request to /api/security/v1/master?state=<state key>&session_state=<session state>&code=<code state>.<session state>.<code key>."}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","http"],"pid":1726076,"message":"Trying to authenticate user request to /api/security/v1/master?state=<state key>&session_state=<session state>&code=<code state>.<session state>.<code key>."}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","http"],"pid":1726076,"message":"Authorization header is not presented."}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","security","authentication"],"pid":1726076,"message":"Could not handle authentication attempt"}
{"type":"log","@timestamp":"2021-08-17T17:45:24Z","tags":["debug","plugins","licensing"],"pid":1726076,"message":"Requesting Elasticsearch licensing API"}
{"type":"response","@timestamp":"2021-08-17T17:45:24Z","tags":[],"pid":1726076,"method":"get","statusCode":401,"req":{"url":"/api/security/v1/master?state=<state key>&session_state=<session state>&code=<code state>.<session state>.<code key>","method":"get","headers":{"host":"<kibana url>:5601","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","connection":"keep-alive","upgrade-insecure-requests":"1","pragma":"no-cache","cache-control":"no-cache"},"remoteAddress":"<my IP>","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"},"res":{"statusCode":401,"responseTime":29,"contentLength":9},"message":"GET /api/security/v1/master?state=<state key>&session_state=<session state>&code=<code state>.<session state>.<code key> 401 29ms - 9.0B"}