OIDC implicit mode unable to generate Elastic Access Token

I am trying to use Keycloak as an OIDC provider in order to query Elastic.

The flow will be...

  1. Log into the UI using Keycloak to obtain an id token.
  2. Pass this token to the API via a bearer header (spring boot application)
  3. Somehow query elastic search as the authenticated user

How does ES trust the ID token generated from the login in the UI?

I have configured a realm in Elastic to use OIDC and performed the steps outlined in https://www.elastic.co/guide/en/elasticsearch/reference/master/oidc-without-kibana.html

I am performing a prepare in ES, then attempting an authenticate but receiving this error from the request: "reason": "unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate]",

And I get this error in ES logs:
"message": "Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to consume the OpenID connect response. ]; nested: ParseException[Missing URI fragment or query string];)"

ES version: 7.5.0

If anyone could help me out, or point me towards an article that would be great.

You can't do that.

Third party initiated login is defined in the specification in https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin. We don't cover the Third PArty initiated login flow without Kibana in our docs ( I've made a note to fix that )

You basically need to

  1. initiate a request to the RP ( your spring boot application ) providing the necessary parameters (iss should be enough)
  2. Your spring boot app will make the necessary call to Elasicsearch ( https://www.elastic.co/guide/en/elasticsearch/reference/7.2/security-api-oidc-prepare-authentication.html passing state, nonce, issuer )
  3. Elasticserach will reply with a URL back to keycloak
  4. You use that url to redirect that user back to Keycloak..
  5. Continue from 3 in https://www.elastic.co/guide/en/elasticsearch/reference/master/oidc-without-kibana.html

This will give your spring boot app an Elasticsearch Token Service access token and a refresh token for that user, and you can subsequently use that Elasticsearch Token Service access as a Bearer token for requests to Elasticsearch on behalf of the authenticated user

You'll need to add a bit more detail here, this is not enough for us to help you.

  • Calling prepare gives you a URL back to redirect you to your OP, what do you do with it?
  • Calling the prepare API would never return that error message, this error message is from the oidc/authenticate API .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.