I am trying to use Keycloak as an OIDC provider in order to query Elastic.
The flow will be...
- Log into the UI using Keycloak to obtain an id token.
- Pass this token to the API via a bearer header (spring boot application)
- Somehow query elastic search as the authenticated user
How does ES trust the ID token generated from the login in the UI?
I have configured a realm in Elastic to use OIDC and performed the steps outlined in https://www.elastic.co/guide/en/elasticsearch/reference/master/oidc-without-kibana.html
I am performing a
prepare in ES, then attempting an authenticate but receiving this error from the request:
"reason": "unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate]",
And I get this error in ES logs:
"message": "Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to consume the OpenID connect response. ]; nested: ParseException[Missing URI fragment or query string];)"
ES version: 7.5.0
If anyone could help me out, or point me towards an article that would be great.