SSO test using OpenID Connect in elasticsearch

I am currently conducting the sso test.

User authentication has all been successful.
However 403 error occurs.

What settings should I add?

ERROR:
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

ES LOG:
[2020-03-06T12:51:57,553][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [DESKTOP-O6EUAL0] OpenID Connect Provider redirected user to [/api/security/v1/oidc?state= &code= ~&scope=openid&authuser=0&prompt=consent]. Expected Nonce is [~~ ] and expected State is [ ~]
"access_token": "access_token_value",
"expires_in": 3599,
"scope": "openid",
"token_type": "Bearer",
"id_token": "id_token_value"
}]
[2020-03-06T12:51:57,933][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [DESKTOP-O6EUAL0] Successfully exchanged code for ID Token: [value] and Access Token [value]
[2020-03-06T12:51:57,981][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [DESKTOP-O6EUAL0] Received and validated the Id Token for the user: [{"at_hash":"value","aud":"value","sub":"value","azp":"value","iss":"https://accounts.google.com","exp":1583470318,"nonce":"value","iat":1583466718}]
[2020-03-06T12:51:58,325][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [DESKTOP-O6EUAL0] Received UserInfo Response from OP with status [200] and content [{
"sub": "value",
"picture": "value"
}]
[2020-03-06T12:51:58,328][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [DESKTOP-O6EUAL0] Successfully retrieved user information: [{"sub":"116021723082891204727","picture":"value"}]
[2020-03-06T12:52:42,021][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [DESKTOP-O6EUAL0] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/127.0.0.1:56539}
[2020-03-06T12:53:42,030][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [DESKTOP-O6EUAL0] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/0:0:0:0:0:0:0:1:56551}
[2020-03-06T12:54:42,039][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [DESKTOP-O6EUAL0] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/127.0.0.1:56563}
[2020-03-06T12:55:42,047][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [DESKTOP-O6EUAL0] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/0:0:0:0:0:0:0:1:56569}

Users authenticating with OpenID Connect have no roles be default so they can't see anything. See our documentation that also explains this and guides you through the necessary steps to give access to these users as needed.

The following settings have already been added.
Is there anything wrong?

PUT /_security/role_mapping/oidc-test
{
"roles": [ "superuser" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "oidc1" } },
{ "field": { "groups": "kibana-users" } }
] }

}

es config
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 0
rp.client_id: "87589987116-q6qur5tspjaosha0t9rd638a01t3vi6j.apps.googleusercontent.com"
rp.response_type: code
rp.redirect_uri: "http://localhost:5601/api/security/v1/oidc"
op.issuer: "https://accounts.google.com"
op.authorization_endpoint: "https://accounts.google.com/o/oauth2/auth"
op.token_endpoint: "https://oauth2.googleapis.com/token"
op.jwkset_path: https://www.googleapis.com/oauth2/v3/certs
op.userinfo_endpoint: "https://openidconnect.googleapis.com/v1/userinfo"
op.endsession_endpoint: "https://oauth2.googleapis.com/revoke"
rp.post_logout_redirect_uri: "http://localhost:5601/logged_out"
claims.principal: sub
claims.groups: kibana-users

claims.groups doesn't work the way you think it works unfortunately. Please read through our documentation, we explicitly describe this here: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/oidc-guide-authentication.html#oidc-claims-mapping

Thank you very much.
I deleted 'claims,groups' setting and succeeded in SSO.

But I have a new question.
How should I set the Refresh Token?

Access Token is thought to be unavailable after the expiration date.
Access token issued by Google cannot be used for more than 3,600 seconds.
As far as I know, Access Tokens are updated using Refresh Tokens.
Is that right?
How do I set it up?

You should not. The access token and refresh token that you get from the OP during the OIDC login are not exposed to you and are not meant to be used. You are logged in to the Elastic Stack after that and all related session and authentication information is held on that side, there is no reason to communicate with the OP ( Google ) after that.

Session timeouts are handled in kibana . Please note that the access token and refresh token that are discussed there have nothing to do with the access token and refresh token from Google. These are internal implementation details of Elasticsearch, part of the Elasticsearch Token Service.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.