Possible bug in OIDC implementation

Hello!

I'm currently evaluating Elastic Stack.

Currently I'm focusing on Elasticsearch SSO features and especially its OpenID Connect (OIDC) support. We have a custom OIDC standard compliant identity provider which I have connected to Elasticsearch. I also installed Kibana and connected it to same identity provider to verify that I can log in to Kibana using that identity provider. So far so good.

Yesterday I started playing with Elasticsearch REST API authentication using _security/oidc/ endpoints and found an interesting issue which is probably a bug in Elasticsearch OIDC implementation. So if I have two or more OIDC realms in elasticsearch.yml and if I call _security/oidc/authenticate endpoint, it will send token request to ALL those realms. Instead it should send token request only to the realm I specified in _security/oidc/prepare request. This means that if the correct realm is not the first one in order, our identity provider removes the authorization code on identity provider side when "wrong" request arrives (as it should be, because authorization codes are one time only) and when "correct" request arrives, there's no authorization code available anymore.

This scenario can be re-produced with Kibana too. Just configure two OIDC realms (to point to same identity provider) and set Kibana realm to be the latter. Then try to access Kibana and you will get an error message. If you change the order of those OIDC realms, Kibana starts working again.

So my question is that is this a bug in the OIDC implementation or am I doing something wrong? I suppose that multiple OIDC realms are supported.

This is show-stopper for us, so any help will be much appreciated.

Hi @jhonko,

Thanks for the detailed report :slight_smile: This is indeed a bug and I've opened https://github.com/elastic/elasticsearch/issues/45331 to track this. You can subscribe to that issue to be notified once it is resolved.

For future reference, in case you come across things that look like bugs you can open an issue directly in https://github.com/elastic/elasticsearch yourself !