Kibana - Use Laravel Passport as OpenID Connect Provider to SSO with Elastic and Kibana

Hello, I'm trying to use my Laravel app that uses Passport for authentication, to create an OpenID Connect Provider to single sign on with Elastic and Kibana. But I get the following error:

{
"statusCode":401,
"error":"Unauthorized",
"message":"Unauthorized"
}

In the http://localhost:5601/api/licensing/info endpoint.
And in the Elastic terminal I get:

[Failed to exchange code for Id Token]

My configs for elastic are:

xpack.security.authc.realms.oidc.oidc2:
  order: 1
  rp.client_id: "947fe15a-8f74-473e-b794-138fd79d7c79"
  rp.response_type: code
  rp.redirect_uri: "http://localhost:5601/api/security/oidc/callback"
  op.issuer: "http://localhost:8082"
  op.authorization_endpoint: "http://localhost:8082/oauth/authorize/"
  op.token_endpoint: "http://localhost:8082/oauth/token/"
  op.jwkset_path: oidc/jwkset.json
  op.userinfo_endpoint: "http://localhost:8082/oauth/userinfo/"
  op.endsession_endpoint: "http://localhost:8082/oauth/logout/"
  rp.post_logout_redirect_uri: "http://localhost:5601/security/logged_out"
  claims.principal: sub
  claims.mail: email
  claims.name: name

And the only endpoint that I manually added in laravel is:

Route::middleware(['auth:api', 'scope:openid', 'claim:sub,email,name'])->get('/oauth/userinfo', function (Request $request) {
    return $request->user();
});

I'm using the laravel-passport-claims package to add the required claims.

Is someone able to spot a possible cause for the error with these informations?

Obs.: I installed Elastic and Kibana on Windows 10 and I'm using the free trial to use the OpenID features.

Are there any other logs available for Elasticsearch? Trace logs would also help:

PUT /_cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.oidc": "trace"
  }
}

Is http://localhost:8082/oauth/token/ endpoint available?

Best,
Oleg

About this issue now :sweat_smile:. This was my previous attempt on SSO with Elastic/Kibana RP.

However my freel trial is about to end, and my machine is not able to run kibana from the source code :unamused:. So since the SSO worked using SAML, I don't believe I'll be trying anything else here, even though I'd like to.
Should I close the question or something like that?

No solution is also a solution :slight_smile: If it's fine for you I'd keep your question here just in case someone else will be trying a similar thing.