User authorized in KeyCloak rejected access to Kibana space

Hello @elasticcommunity

Our use case is to giver external users access to specific spaces, dashboards and indices in an on-prem Elastic cluster. We are using OpenID Connect authorization and Keycloak as provider.

We have configed Keycloack, Elasticsearch and Kibana as well as created a role_mapping based on groups, see attachments. In Kibana we have configured specific roles and spaces. If a user login in with basic authentication the user is granted access to the specific space, daskboards and indices. So this part of the configuration is correct.

The redirect from Kibana to Keycloak works, the users are authenticated in Keycloak, but Kibana rejects access with an HTTP 403.

No errors are found in the Elasticsearch log or in the Kibana log as well as the Kibana audit log. When running Kibana in debug or trance mode Kibana accepts the authorization, find the spaces ect, but rejects access to the specific space. We are wounding if the role_mapping is wrong or we are missing some mapping of claims.

Any suggestions are much appreciated.

Kibana rejection:

Authorization response from Keycloak, remark "star" returned in the groups array

The very simple role_mapping

Role-mapping

We can provide snippes from the Kibana debug log as well the 403 reported i Google tools.

Sorry, I delete the first post in this topic when I tried to add a file.

Best regards
@fgjensen

Hi @ikakavas Do you mind to take a look at this issue?

I have read you answer to a similar post, but in our case the OP returns the expected value in the groups claim. Our case is that the OP will have several groups which must be mapped to different roles and thus spaces in Kibana

BR @fgjensen

Well. I found the solution, which is more simple than I thought.

claims.groups: "groups"

in stead of

claims.groups: "https://kc-autotest.dev-eessi.dk/claims/groups"

The KeyCloak URL should be valid too according to the OpenID specifications, so it should also work with Kibana.

I have other problems with access to dashboards and a Canvas dashboard. I'll post a specific issue on these problems if I cannot resolve them.

Hi @fgjensen
I am dealing with same idea.
I have the same assignment as you.

I'm also having trouble assigning users to roles in Elasticsearch.

When I tried to simulate the problem using the command line, it returned that Elasticsearch could not decode the token.

Could you share some tips?

My topic:

Thanks a lot!