Hello,
I have a problem using the Open Distro plugin with the OpenID Connect protocol. I installed and configured the plugin to work with Keycloak following the guide (https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/openid-connect/).
The problem is the following:
after successfully logging into kibana and also switching to Keycloak, I get a screen with the error message “Authentication failed. Please provide a new token.”. In the Elasticsearch logs I read “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’.”
I installed on my MAC (macOS Catalina):
elasticsearch 6.8.1
kibana 6.8.1
pluging-opendistro_security 0.10.0.0 (for elasticsearch and kibana)
All programs run on the same machine in localhost and only elasticsearch has https. I used the demo certificates for elasticsearch.
Below I insert the configuration files.
kibana.yml
#Enable OpenID authentication
opendistro_security.auth.type: "openid"
#The IdP metadata endpoint
opendistro_security.openid.connect_url: "http://localhost:8080/auth/realms/master/.well-
known/openid-configuration"
#The ID of the OpenID Connect client in your IdP
opendistro_security.openid.client_id: "kibana"
#The client secret of the OpenID Connect client
opendistro_security.openid.client_secret: "d7639f16-b182-4a8a-b9a3-0e1d640998b4"
opendistro_security.cookie.secure: false
config.yml
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
basic_internal_auth_domain:
enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: http://localhost:8080/auth/realms/master/.well-known/openid-configuration
authentication_backend:
type: noop
Thank you all for the help!