Attempting to configure a Elastic Cloud Kibana instance to use AWS Cognito for login but running into a the below error after successful login at the OP (AWS Cognito) side.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}
Have an EC2 instance running nginx in front of Kibana, to make sure my domain name is correctly reflected & secure.
There should be a few related log lines in your elasticsearch log. If you can't see them, could you please engage with your support engineer and reference this post If needed ?
Hi,
I have observed the same issue with Okta, the authentication is succesful but Elastic Cloud returns the error below. {"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}
It seems this feature is probably not working.
Please open an issue for your problem and share your configuration and the logs from your instance so that we can help you address the issues you're facing.
There is currently an unintended limitation prohibiting you from seeing the OpenID Connect related logs in the Elastic Cloud interface. While we are working to resolve this, please contact your support engineer and they would be able to relay the necessary logs to you that will allow you to troubleshoot your configuration.
This would mean that the ID Token didn't contain a sub claim which is rather strange. The logs ( if you get them from your support engineer ) would contain a line that says
claims.principal not found in {your ID Tokens claims here in json format}
@ikakavas Resorted to debugging this locally and it seem AWS is returning claims with values of different types in token request vs user info:
"email_verified": true
vs "email_verified": "true"
Parsing fails and as a result the authentication times out. Removing one of the claims before the merge happens fixes this problem and authentication is possible. Worth noting that there is nothing logged about this error, its simply times out.
Checking why AWS insists on sending the email_verified claim even when I set the scope to openid only
Thank you so much for the details @nahojkap . I recently came across a similar issue with AWS Cognito that lead to a timeout. It looked like email claim was to blame, but your findings shed some additional light. This is a bug on our side, I will be looking into it.
Would you also be opening an issue against Cognito regarding the different types for email_verified ? To be clear, this is supposed to be boolean so "email_verified": true that comes in the ID Token is the correct version.
Also @ikakavas (and not had time to check if there is an issue reported about this already) the AWS Cognito logout pages require some custom URL parameters (client_id and logout_uri) and while I can specify these in the op.endsession_endpoint config, the LogoutRequest class ignores the fact the URI passed already contains a ? for the query string and simply appends a ? and the generated query string.
Cognito will in this case report missing parameter. Changing the URL manually fixes it but now running into some other mysterious error in Cognito but still digging into what that can be.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.