Attempting to configure a Elastic Cloud Kibana instance to use AWS Cognito for login but running into a the below error after successful login at the OP (AWS Cognito) side.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}
Have an EC2 instance running nginx in front of Kibana, to make sure my domain name is correctly reflected & secure.
xpack.security.authc.realms:
oidc.cloud-oidc:
order: 2
rp.client_id: "<clientid>"
rp.response_type: code
rp.redirect_uri: "https://<KIBANA EXTEARNAL URL>/api/security/v1/oidc"
op.issuer: "https://cognito-idp.eu-west-1.amazonaws.com/xxxxxxxxxxxxxx"
op.authorization_endpoint: "https://xxxx.auth.eu-west-1.amazoncognito.com/oauth2/authorize"
op.token_endpoint: "https://xxxx.auth.eu-west-1.amazoncognito.com/oauth2/token"
op.jwkset_path: https://cognito-idp.eu-west-1.amazonaws.com/xxxxxxxxxxxxxx/.well-known/jwks.json
op.userinfo_endpoint: "https://xxxx.auth.eu-west-1.amazoncognito.com/oauth2/userInfo"
op.endsession_endpoint: "https://xxxx.auth.eu-west-1.amazoncognito.com/logout"
rp.post_logout_redirect_uri: "https://<KIBANA EXTEARNAL URL>/logged_out"
claims.principal: sub
claims.groups: "cognito:groups"
In Kibana, I have configured the following
xpack.security.public:
protocol: https
hostname: "<KIBANA EXTERNAL URL>"
port: 443
There is a slight delay before I get the above error, which feels like its a comms problem, but cant be sure.
I tried to enable the logs in ES but my settings dont seem to have any effect:
PUT /_cluster/settings
{
"transient": {
"logger.org.elasticsearch.xpack.security.authc.saml" : "TRACE",
"logger.org.elasticsearch.xpack.security.authc.oidc": "TRACE",
"logger.org.elasticsearch.xpack.security.authc": "TRACE",
"logger.org.elasticsearch.xpack.security" : "TRACE"
}
}
Anyone had a similar issue?
Thanks,
Johan