Basic Authorization not Found on OpenDistro 1.4.0 with Keycloak 9.0.0

Security
1

Hello everybody,

I installed on my PC (windows 10 x86_64) the applications in question:

OpenDistro 1.4.0
OpenDistro-Kibana 1.4.0
Keycloak 9.0.0

to test how OpenDistro works with OpenID. I mainly followed this guide: OPENID and modified the files indicated.

config.yml

config:
      dynamic:
http:
  anonymous_auth_enabled: false
  xff:
    enabled: false
authc:
  basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: internal
  openid_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: openid
      challenge: false
      config:
        subject_key: preferred_username
        roles_key: roles
        openid_connect_url: http://localhost:8080/auth/realms/master/.well-known/openid-configuration
   authentication_backend:
     type: noop

kibana.yml

opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: same of the previous
opendistro_security.openid.client_id: "kibana-sso"
opendistro_security.openid.client_secret: "285d9831-dd11-4494-bf29-68fa5e883cb4"
elasticsearch.hosts: local port 9200
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: ["Authorization", "securitytenant"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

I created the kibanaserver user on keycloak, created the kibana-sso client_id and associated the client_secret. Then I created the kibana_read_only and all_access roles and associated them to the user.

Also reading on this forum I mapped the user roles in the roles key so that they are found by elasticsearch.
This is an example token generated by keycloak:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqanQ3ckpUb1JqMnhmanhkQ3pJZEh1VjZuOXM0bGdKY1lBQTZ4S2xZeEhjIn0.eyJqdGkiOiJiMzc2ZjMzMi1iNzNjLTQzYmMtYWEzYi1iYzJmZTM0MjMyYjYiLCJleHAiOjE1ODI3Mjc4NjYsIm5iZiI6MCwiaWF0IjoxNTgyNzI3ODA2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoia2liYW5hLXNzbyIsInN1YiI6IjQ3OTA0NmI2LWI2NmMtNDVmMS1iMTJmLWE2YTU0YzNmM2RiMSIsInR5cCI6IklEIiwiYXpwIjoia2liYW5hLXNzbyIsImF1dGhfdGltZSI6MTU4MjcyNzMwMywic2Vzc2lvbl9zdGF0ZSI6ImZkY2RlYjJhLTc5YWQtNDY4YS1hNDE4LWM4NTdlZDQ4NjUwZCIsImFjciI6IjAiLCJhZGRyZXNzIjp7fSwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJraWJhbmFfcmVhZF9vbmx5Iiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsImFsbF9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJraWJhbmFzZXJ2ZXIifQ.LMOVjQ-C1y9Qt6WoRGU_KzqAytBJRIuRcqCZqhZ17v9p21okMg2Y3xJhgzAHAwyG51RNIDKEo9K4x5NHnTNC25cLEnD_Gr7LUHWSe5ttdZg_5IojDhjQEMB9LqOOJ25GDb_hQl6AAJwx9OcZ6pBxLwtnWQQz5gmNJnzvopSHrV-nJwVJ40ppKLxLE2OEaAREKfx6NHga-6cMnNWWCWyb3IqzYbxzTRYHNSrQ5QFmB_TDqX_kQN_OGNTWH4Cc_4H6CNr_z0Lrmt4BRw9L63Zc2umZf6aiJJyr6kB1xb-DFJJ7t-exwmF6mluUpWInhcU589_xiPPvI6jefhUqAj3Tpg

{
  "jti": "b376f332-b73c-43bc-aa3b-bc2fe34232b6",
  "exp": 1582727866,
  "nbf": 0,
  "iat": 1582727806,
  "iss": "http://localhost:8080/auth/realms/master",
  "aud": "kibana-sso",
  "sub": "479046b6-b66c-45f1-b12f-a6a54c3f3db1",
  "typ": "ID",
  "azp": "kibana-sso",
  "auth_time": 1582727303,
  "session_state": "fdcdeb2a-79ad-468a-a418-c857ed48650d",
  "acr": "0",
  "address": {},
  "email_verified": false,
  "roles": [
                "create-realm",
                "kibana_read_only",
                "offline_access",
                "admin",
                "all_access",
                "uma_authorization"
    ],
  "preferred_username": "kibanaserver"
 }

All programs run on the same machine in localhost and only elasticsearch has https. I haven’t changed the certificates because I think that currently the demo ones are enough.

The connection to kibana is done correctly and also the switch to keycloak. But once I enter the keycloak username and password I get a customerror?type=authError#?_g=() error.
and in the elastic search log you can read
No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’.

Does anyone have any idea why this is happening?

1 Like
2

SOLVED.

The problem is hidden in the boot of opendistro. At startup, an instance is created on elasticsearch with the configuration present at that time in config.yml. So if a user downloads openDistro and starts it, it automatically loads only the Basic Authenticator and any subsequent changes made to config.yml are ignored.

So the files shown in the previous post are correct, but must be inserted before the first boot.

3

Facing this issue , can anybody help
https://stackoverflow.com/questions/60622018/opendistro-throwing-an-error-on-accepting-a-jwt-token-from-keycloak

1 Like
4

@claudiobadii Can you please send the brief about how it worked and share the configuration for the same.

5

Hi All, if you are having issues with keycloak and odfe, can you share your config files and any errors that you are seeing on screen and in logs.