Azure AD login with OpenID loop

leo_gazziro · May 27, 2021, 6:38pm

Hi guys.

I’m trying to do login in Kibana using Azure ID and OpenID but the Azure login create a loop.

My configs:

config.yml

authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "internal"
      openid_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration
        authentication_backend:
           type: noop

kibana.yml:

opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration"
opendistro_security.openid.client_id: "<client_id>" 
opendistro_security.openid.client_secret: "<client_secret>"
opendistro_security.openid.base_redirect_url: "http://localhost:5601"

Does anyone have any idea what can cause the problem?

pablo · May 28, 2021, 9:39am

Hi @leo_gazziro

Could you try to set in openid_auth_domain the below settings.

http_enabled: true (instead of enabled:true)
transport_enabled: false

Do you see any errors in ES logs?
What ODFE version are you running?

oscark · May 28, 2021, 12:18pm

When it fails to authenticate it can end up in these kind of loops. I would expect that the problem gets logged in elasticsearch logs. I think when I had an issue like this it was because the elastic nodes did not have a route to my openid servers (and my subject_key was wrong). Also is <tenant> correct?

leo_gazziro · May 28, 2021, 3:56pm

@pablo I tryed to change http enable and transport config but doesn’t work.
My ODFE version 1.13.0.1

About the logs, it doesn’t have relevant informations, I need to active somenting?

Thanks for helping guys

pablo · May 28, 2021, 8:41pm

@leo_gazziro

Try to follow the ODFE documentation and enable either debug or trace logging. Trace will provide more verbose output.

leo_gazziro · June 1, 2021, 8:31pm

Hi @pablo

Sorry for my delay. ES log have this message: [2021-06-01T20:27:45,668][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [teste-kibana] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

leo_gazziro · June 1, 2021, 8:32pm

Hi @pablo

ES log have this message: [2021-06-01T20:27:45,668][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [teste-kibana] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

a.fauquer · June 2, 2021, 2:02pm

Hello, we are having the same problem.
We are installing Wazuh on docker-compose, which has the opendistro containers. Our oidc provider is keycloack.
if anyone knows how to fix it, that would be great, thanks

gdd314596 · June 7, 2021, 5:25pm

Had the same issue. See solution here: Issue with openid/keycloak causing infinite redirects with Helm - #4 by gdd314596

Topic		Replies	Views
OpenID Connect & Basic Authentication on Kibana Security	2	943	January 4, 2021
Issue with openid/keycloak causing infinite redirects with Helm Security	4	2757	July 15, 2021
Kibana Azure Open ID connect Issue Security	3	795	May 19, 2020
Configuring OpenDistro Security Plugin for OpenID Connect using Azure AD App Registration Security	5	602	November 19, 2021
Kibana login (Openid/Azure AD) is not working after upgrading to 1.10.1 from 1.8 Security	2	676	October 6, 2020

Azure AD login with OpenID loop

Related Topics