I've been working on setting up a elastic cloud hosted deployment (currently running v7.8.0) with OIDC pointed at Okta. I've run into this error sporadically with various users:
"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"
Following along with OpenID error after authenticating against AWS Cognito I have OIDC trace enabled. I find that if I end up not getting the error I see trace logs showing my token and user info responses and am able to log in and everyone is happy. When I do get the error I do not get any trace logs.
Am a bit at a loss for next steps to debug here. Any pointers would be awesome.
xpack.security.authc.providers:
oidc.okta:
order: 1
realm: okta
description: "Log in with Okta"
hint: "This is probably what you want!"
icon: "image url here"
basic.basic1:
order: 2
hint: "This is for super admins"
PS. I also sometimes get what looks like a javascript error on the login screen, clicking the option a second time a few seconds later usually lets the request go through. Not sure if it's related.
If you can enable debug logging for kibana and also capture a HAR from your browser when the error happens, we will be more than happy to take a look and see what the issue might be.
PS. I also sometimes get what looks like a javascript error on the login screen,
You mean in Kibana? Can you share the exact error ?
For the JS error: yes, in kibana. Reproducing it now in a private window, I realized just now that it is also trying to report an unauthorized response. Here's what it reports...
Header of the dialog: Could not perform login.
Error field: Unauthorized
I clicked the login button again and it brought me to the okta login prompt.
As for debug logs, any particular category or just across the board for kibana? Will try to reproduce (it would be so much eaiser if it happened consistently ) and capture a HAR.
I may have found a solution. The problem is likely me not understanding that all the different types of ES instances have individual elasticsearch.yaml entry fields in the deployment UI, and even if it says no significant changes when copy-pasting config between them, they are using independent config or something . Can you tell this is my first time using ES as administrator?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.