Unable to configure oidc

bandapally_kumar · May 28, 2020, 8:57pm

we are trying to setup elasticsearch to use oidc for authentication here is my yaml file

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
        order: 1
        rp.client_id: "6bd9f9a3-67a3-4392-b29c-675c16b818e9"
        rp.response_type: "code"
        rp.redirect_uri: "https://<Kibana-Host>/api/security/oidc/callback"
        op.issuer: "https://<Login-Provider>"
        op.authorization_endpoint: "https://<Login-Provider>/oauth2/v2.0/authorize"
        op.token_endpoint: "https://<Login-Provider>/oauth2/v2.0/token"
        op.jwkset_path: "https://<Login-Provider>/discovery/v2.0/keys"
        rp.post_logout_redirect_uri: "https://<Kibana-Host>/login"
        rp.requested_scopes: [openid, profile, email]
        claims.principal: email


once I sign in with credentials I get the following error

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

what is that I am doing wrong?

ikakavas · May 28, 2020, 9:10pm

Please check your elasticsearch logs, there should be more info there on exactly what fails. If there is not, you can also set the logging level to trace with

 PUT /_cluster/settings
 {
   "transient": {
     "logger.org.elasticsearch.xpack.security.authc.oidc": "trace"
   }
 }

and get additional details

bandapally_kumar · May 29, 2020, 2:27pm

This is what get from the logs
[2020-05-29T14:23:13,899][WARN ][o.e.x.s.a.AuthenticationService] [ip-172-31-8-199.us-west-2.compute.internal] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJWTException[Unexpected JWT issuer:

ikakavas · May 29, 2020, 2:59pm

If you didn't truncate the log message we would be able to help more but in summary:
You have configured your realm as such:

but the actual issuer string of your OP is a different one, it is the one that is printed in your logs exactly after

BadJWTException[Unexpected JWT issuer:

You need to fix your configuration.

bandapally_kumar · May 29, 2020, 4:03pm

here is my op.issuer: "https://login.microsoftonline.com"
and one in the logs is  https://login.microsoftonline.com/<Truncated_id>

bandapally_kumar · May 29, 2020, 4:56pm

I updated my elasticsearch.yml with op.issuer I got from logs but now it gives me no error but when I try accessing it I get 403 on browser

ikakavas · May 30, 2020, 8:32am

Please read through our docs, you'll find all your questions are already answered there : https://www.elastic.co/guide/en/elasticsearch/reference/current/oidc-role-mapping.html

system · June 27, 2020, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication problem using OIDC Kibana	4	3927	January 30, 2020
Authentication failed for an OpenID integration Elasticsearch elastic-stack-security	3	2183	March 23, 2020
Elastic Stack OIDC Google Elasticsearch elastic-stack-security	3	560	November 23, 2020
Unable to set xpack.security.authc.realms.oidc.oidc1.rp.client_secret property through yml file Elasticsearch	5	3358	March 5, 2020
Error 401 when authenticating with OpenIDConnect Kibana elastic-stack-security	3	2019	August 5, 2021

Unable to configure oidc

Related topics