Unable to configure oidc

bandapally_kumar · May 28, 2020, 8:57pm

we are trying to setup elasticsearch to use oidc for authentication here is my yaml file

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
        order: 1
        rp.client_id: "6bd9f9a3-67a3-4392-b29c-675c16b818e9"
        rp.response_type: "code"
        rp.redirect_uri: "https://<Kibana-Host>/api/security/oidc/callback"
        op.issuer: "https://<Login-Provider>"
        op.authorization_endpoint: "https://<Login-Provider>/oauth2/v2.0/authorize"
        op.token_endpoint: "https://<Login-Provider>/oauth2/v2.0/token"
        op.jwkset_path: "https://<Login-Provider>/discovery/v2.0/keys"
        rp.post_logout_redirect_uri: "https://<Kibana-Host>/login"
        rp.requested_scopes: [openid, profile, email]
        claims.principal: email


once I sign in with credentials I get the following error

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

what is that I am doing wrong?

ikakavas · May 28, 2020, 9:10pm

Please check your elasticsearch logs, there should be more info there on exactly what fails. If there is not, you can also set the logging level to trace with

 PUT /_cluster/settings
 {
   "transient": {
     "logger.org.elasticsearch.xpack.security.authc.oidc": "trace"
   }
 }

and get additional details

bandapally_kumar · May 29, 2020, 2:27pm

This is what get from the logs
[2020-05-29T14:23:13,899][WARN ][o.e.x.s.a.AuthenticationService] [ip-172-31-8-199.us-west-2.compute.internal] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to parse or validate the ID Token]; nested: BadJWTException[Unexpected JWT issuer:

ikakavas · May 29, 2020, 2:59pm

If you didn't truncate the log message we would be able to help more but in summary:
You have configured your realm as such:

but the actual issuer string of your OP is a different one, it is the one that is printed in your logs exactly after

BadJWTException[Unexpected JWT issuer:

You need to fix your configuration.

bandapally_kumar · May 29, 2020, 4:03pm

here is my op.issuer: "https://login.microsoftonline.com"
and one in the logs is  https://login.microsoftonline.com/<Truncated_id>

bandapally_kumar · May 29, 2020, 4:56pm

I updated my elasticsearch.yml with op.issuer I got from logs but now it gives me no error but when I try accessing it I get 403 on browser

ikakavas · May 30, 2020, 8:32am

Please read through our docs, you'll find all your questions are already answered there : https://www.elastic.co/guide/en/elasticsearch/reference/current/oidc-role-mapping.html

system · June 27, 2020, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.