Azure AD login with OpenID loop

Hi guys.

I’m trying to do login in Kibana using Azure ID and OpenID but the Azure login create a loop.

My configs:


        http_enabled: true
        transport_enabled: true
        order: 0
          type: "basic"
          challenge: false
          type: "internal"
        enabled: true
        order: 1
          type: openid
          challenge: false
            subject_key: preferred_username
            roles_key: roles
           type: noop


opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "<tenant>/v2.0/.well-known/openid-configuration"
opendistro_security.openid.client_id: "<client_id>" 
opendistro_security.openid.client_secret: "<client_secret>"
opendistro_security.openid.base_redirect_url: "http://localhost:5601"

Does anyone have any idea what can cause the problem?

Hi @leo_gazziro

Could you try to set in openid_auth_domain the below settings.

http_enabled: true (instead of enabled:true)
transport_enabled: false

Do you see any errors in ES logs?
What ODFE version are you running?

When it fails to authenticate it can end up in these kind of loops. I would expect that the problem gets logged in elasticsearch logs. I think when I had an issue like this it was because the elastic nodes did not have a route to my openid servers (and my subject_key was wrong). Also is <tenant> correct?

@pablo I tryed to change http enable and transport config but doesn’t work.
My ODFE version

About the logs, it doesn’t have relevant informations, I need to active somenting?

Thanks for helping guys


Try to follow the ODFE documentation and enable either debug or trace logging. Trace will provide more verbose output.

Hi @pablo

Sorry for my delay. ES log have this message: [2021-06-01T20:27:45,668][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [teste-kibana] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

Hi @pablo

ES log have this message: [2021-06-01T20:27:45,668][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [teste-kibana] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

1 Like

Hello, we are having the same problem.
We are installing Wazuh on docker-compose, which has the opendistro containers. Our oidc provider is keycloack.
if anyone knows how to fix it, that would be great, thanks

Had the same issue. See solution here: Issue with openid/keycloak causing infinite redirects with Helm - #4 by gdd314596