Hi,
I am having an issue with azuread oidc authentication to my elasticsearch. It works well but when it required to /api/security/v1/oidc? with the code it seems to have an issue and displays this error in the UI.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<OIDC Token>] for action [cluster:admin/xpack/security/oidc/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}
This is the error log in OIDC:
{"type": "server", "timestamp": "2020-06-25T01:15:51,030Z", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "elasticsearch", "node.name": "elastic", "message": "Authentication to realm cloud-oidc failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to consume the OpenID connect response. ]; nested: IllegalArgumentException[HTTP host may not be null];)", "cluster.uuid": "my8XX0AYQS-z-yPK1-pe8A", "node.id": "9aSo2VMES4-v_DN-Y4oQRw" }
I have a very basic elastic config also:
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.http.ssl.enabled: false
xpack:
security:
authc:
realms:
native.realm1:
order: 0
oidc:
cloud-oidc:
order: 2
rp.client_id: "removed"
rp.response_type: code
rp.redirect_uri: "http://localhost:5601/api/security/v1/oidc"
op.issuer: "https://login.microsoftonline.com/removedv2.0"
op.authorization_endpoint: "https://login.microsoftonline.com/removed/oauth2/v2.0/authorize"
op.token_endpoint: "token_endpoint"
op.jwkset_path: "https://login.microsoftonline.com/removed/discovery/v2.0/keys"
op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
op.endsession_endpoint: "https://login.microsoftonline.com/removed/oauth2/v2.0/logout"
rp.post_logout_redirect_uri: "http://localhost:5601/logged_out"
claims.principal: sub
I am using elasticsearch container 7.8