Unable to configure oidc

we are trying to setup elasticsearch to use oidc for authentication here is my yaml file

xpack.security.authc.token.enabled: true
        order: 1
        rp.client_id: "6bd9f9a3-67a3-4392-b29c-675c16b818e9"
        rp.response_type: "code"
        rp.redirect_uri: "https://<Kibana-Host>/api/security/oidc/callback"
        op.issuer: "https://<Login-Provider>"
        op.authorization_endpoint: "https://<Login-Provider>/oauth2/v2.0/authorize"
        op.token_endpoint: "https://<Login-Provider>/oauth2/v2.0/token"
        op.jwkset_path: "https://<Login-Provider>/discovery/v2.0/keys"
        rp.post_logout_redirect_uri: "https://<Kibana-Host>/login"
        rp.requested_scopes: [openid, profile, email]
        claims.principal: email

once I sign in with credentials I get the following error

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

what is that I am doing wrong?

Please check your elasticsearch logs, there should be more info there on exactly what fails. If there is not, you can also set the logging level to trace with

 PUT /_cluster/settings
   "transient": {
     "logger.org.elasticsearch.xpack.security.authc.oidc": "trace"

and get additional details

This is what get from the logs
[2020-05-29T14:23:13,899][WARN ][o.e.x.s.a.AuthenticationService] [ip-172-31-8-199.us-west-2.compute.internal] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJWTException[Unexpected JWT issuer: 

If you didn't truncate the log message we would be able to help more but in summary:
You have configured your realm as such:

but the actual issuer string of your OP is a different one, it is the one that is printed in your logs exactly after

BadJWTException[Unexpected JWT issuer: 

You need to fix your configuration.

here is my op.issuer: "https://login.microsoftonline.com"
and one in the logs is  https://login.microsoftonline.com/<Truncated_id>
I updated my elasticsearch.yml with op.issuer I got from logs but now it gives me no error but when I try accessing it I get 403 on browser

Please read through our docs, you'll find all your questions are already answered there : https://www.elastic.co/guide/en/elasticsearch/reference/current/oidc-role-mapping.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.