Issue with login to kibana through JWT

Security
1

I am unable to login (or access any kibana apis) through JWT.

Below are configurations which i used.

SecurityConfiguration in kibana

security.config.yml

jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “MIIBIjANBgkqhkiG9w0BA…”
jwt_header: “access_token”
roles_key: “authorities”
subject_key: “user_name”
authentication_backend:
type: noop

elasticsearch.yml

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

opendistro_security.authcz.admin_dn:

  • “CN=elasticsearch,OU=NetWitness,O=RSA,L=Reston,ST=VA,C=US”
  • “CN=rsa-nw-metrics-server,OU=NetWitness,O=RSA,L=Reston,ST=VA,C=US”

RBAC config for Kibana

opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
opendistro_security.unsupported.restapi.allow_securityconfig_modification: true

kibana.yml

Description:

Default Kibana configuration for Open Distro.

elasticsearch.hosts: “https://localhost:9200
elasticsearch.ssl.certificateAuthorities: /etc/pki/nw/trust/truststore.pem
elasticsearch.ssl.verificationMode: certificate
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”,“access_token”]

opendistro_security.allow_client_certificates: true
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.jwt.enabled: true
opendistro_security.auth.type: “jwt”

server.host: “0.0.0.0”
server.ssl.enabled: true
server.ssl.key: /etc/kibana/kibana-key.pem
server.ssl.certificate: /etc/kibana/kibana-cert.pem

Below is my jwt token:

Header:
{
“alg”: “RS256”,
“typ”: “JWT”
}
{
“exp”: 1583847013752,
“iss”: “security-server-3272677e-1552-4b8e-9dee-8563c127be21”,
“iat”: 1583818213752,
“authorities”: [
“Administrators”
],
“user_name”: “admin”
}

Encoded JWT Token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODM4NDcwMTM3NTIsImlzcyI6InNlY3VyaXR5LXNlcnZlci0zMjcyNjc3ZS0xNTUyLTRiOGUtOWRlZS04NTYzYzEyN2JlMjEiLCJpYXQiOjE1ODM4MTgyMTM3NTIsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.YOxUPRyhXlJIKcIYLimAZnciEw3drVXjQDTJz-8TjHu0GSoD7SlJeY4azEhnUogGjVwXV_vh–ROb_dwVMme173R-6Hn6ynOTDsfKN61l3DXXyp1FZu-FV8H8ziLaY9B-ULUbqw9e8Cq21FGkhhyux6JPqfC3GR9-DaLAgVRo7QyHK9a-HTBi9wWelzN_XHI91agI0d83mOPqKcGMEDVQdyfam-BsY0dgLm7jJ5Mgmu8SwwwK4YzMLyoshO1QZYAcrIdPka5tfFPmDIdE3cTxx-fM-mw8pZ2CykdkHBn1dZyBD-lXqbZ4QYHEfLJMR5vvcLMv9Sh4UyVdbiWsd44Sg

I can successfully able to access elastic apis through this token.

Below is the Request and Response for elastic apis

Request:

curl --location --request GET ‘https://10.125.250.205:9200/_cat/indices
–header ‘access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODM4NDcwMTM3NTIsImlzcyI6InNlY3VyaXR5LXNlcnZlci0zMjcyNjc3ZS0xNTUyLTRiOGUtOWRlZS04NTYzYzEyN2JlMjEiLCJpYXQiOjE1ODM4MTgyMTM3NTIsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.YOxUPRyhXlJIKcIYLimAZnciEw3drVXjQDTJz-8TjHu0GSoD7SlJeY4azEhnUogGjVwXV_vh–ROb_dwVMme173R-6Hn6ynOTDsfKN61l3DXXyp1FZu-FV8H8ziLaY9B-ULUbqw9e8Cq21FGkhhyux6JPqfC3GR9-DaLAgVRo7QyHK9a-HTBi9wWelzN_XHI91agI0d83mOPqKcGMEDVQdyfam-BsY0dgLm7jJ5Mgmu8SwwwK4YzMLyoshO1QZYAcrIdPka5tfFPmDIdE3cTxx-fM-mw8pZ2CykdkHBn1dZyBD-lXqbZ4QYHEfLJMR5vvcLMv9Sh4UyVdbiWsd44Sg’

Response

Status 200 with correct response i.e.

yellow open nw-security-analytics B16YAAL6TR-3AxY3cxSXrA 1 1 18167 0 3.1mb 3.1mb
yellow open .opendistro-alerting-alert-history-2020.03.05-000009 FumANqDBQPqHoI-wRWN4SA 1 1 0 0 283b 283b
yellow open .opendistro-alerting-alert-history-2020.03.04-000008 IUSDDU2-QFCOf6TfEhWiDg 1 1 0 0 283b 283b
green open .opendistro_security n1TBIlpYTCObhztEbsRyzw 1 0 6 2 56.1kb 56.1kb

But when i try to access kibana apis

REQUEST

curl --location --request GET ‘https://10.125.250.205:5601/api/features
–header ‘access_token: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODM4NDcwMTM3NTIsImlzcyI6InNlY3VyaXR5LXNlcnZlci0zMjcyNjc3ZS0xNTUyLTRiOGUtOWRlZS04NTYzYzEyN2JlMjEiLCJpYXQiOjE1ODM4MTgyMTM3NTIsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.YOxUPRyhXlJIKcIYLimAZnciEw3drVXjQDTJz-8TjHu0GSoD7SlJeY4azEhnUogGjVwXV_vh–ROb_dwVMme173R-6Hn6ynOTDsfKN61l3DXXyp1FZu-FV8H8ziLaY9B-ULUbqw9e8Cq21FGkhhyux6JPqfC3GR9-DaLAgVRo7QyHK9a-HTBi9wWelzN_XHI91agI0d83mOPqKcGMEDVQdyfam-BsY0dgLm7jJ5Mgmu8SwwwK4YzMLyoshO1QZYAcrIdPka5tfFPmDIdE3cTxx-fM-mw8pZ2CykdkHBn1dZyBD-lXqbZ4QYHEfLJMR5vvcLMv9Sh4UyVdbiWsd44Sg’

RESPONSE

{“type”:“response”,“@timestamp”:“2020-03-10T05:31:41Z”,“tags”:,“pid”:14734,“method”:“get”,“statusCode”:302,“req”:{“url”:“/api/features”,“method”:“get”,“headers”:{“access_token”:“Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODM4NDcwMTM3NTIsImlzcyI6InNlY3VyaXR5LXNlcnZlci0zMjcyNjc3ZS0xNTUyLTRiOGUtOWRlZS04NTYzYzEyN2JlMjEiLCJpYXQiOjE1ODM4MTgyMTM3NTIsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.YOxUPRyhXlJIKcIYLimAZnciEw3drVXjQDTJz-8TjHu0GSoD7SlJeY4azEhnUogGjVwXV_vh–ROb_dwVMme173R-6Hn6ynOTDsfKN61l3DXXyp1FZu-FV8H8ziLaY9B-ULUbqw9e8Cq21FGkhhyux6JPqfC3GR9-DaLAgVRo7QyHK9a-HTBi9wWelzN_XHI91agI0d83mOPqKcGMEDVQdyfam-BsY0dgLm7jJ5Mgmu8SwwwK4YzMLyoshO1QZYAcrIdPka5tfFPmDIdE3cTxx-fM-mw8pZ2CykdkHBn1dZyBD-lXqbZ4QYHEfLJMR5vvcLMv9Sh4UyVdbiWsd44Sg”,“user-agent”:“PostmanRuntime/7.22.0”,“accept”:“/”,“cache-control”:“no-cache”,“postman-token”:“c3453a60-283b-4145-9d83-493e690d6ef7”,“host”:“10.125.250.205:5601”,“accept-encoding”:“gzip, deflate, br”,“connection”:“keep-alive”,“securitytenant”:“user”},“remoteAddress”:“10.91.33.121”,“userAgent”:“10.91.33.121”},“res”:{“statusCode”:302,“responseTime”:26,“contentLength”:9},“message”:“GET /api/features 302 26ms - 9.0B”}
{“type”:“response”,“@timestamp”:“2020-03-10T05:31:41Z”,“tags”:,“pid”:14734,“method”:“get”,“statusCode”:200,“req”:{“url”:“/customerror?type=authError”,“method”:“get”,“headers”:{“access_token”:“Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODM4NDcwMTM3NTIsImlzcyI6InNlY3VyaXR5LXNlcnZlci0zMjcyNjc3ZS0xNTUyLTRiOGUtOWRlZS04NTYzYzEyN2JlMjEiLCJpYXQiOjE1ODM4MTgyMTM3NTIsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.YOxUPRyhXlJIKcIYLimAZnciEw3drVXjQDTJz-8TjHu0GSoD7SlJeY4azEhnUogGjVwXV_vh–ROb_dwVMme173R-6Hn6ynOTDsfKN61l3DXXyp1FZu-FV8H8ziLaY9B-ULUbqw9e8Cq21FGkhhyux6JPqfC3GR9-DaLAgVRo7QyHK9a-HTBi9wWelzN_XHI91agI0d83mOPqKcGMEDVQdyfam-BsY0dgLm7jJ5Mgmu8SwwwK4YzMLyoshO1QZYAcrIdPka5tfFPmDIdE3cTxx-fM-mw8pZ2CykdkHBn1dZyBD-lXqbZ4QYHEfLJMR5vvcLMv9Sh4UyVdbiWsd44Sg”,“user-agent”:“PostmanRuntime/7.22.0”,“accept”:“/”,“cache-control”:“no-cache”,“postman-token”:“c3453a60-283b-4145-9d83-493e690d6ef7”,“accept-encoding”:“gzip, deflate, br”,“referer”:“https://10.125.250.205:5601/api/features",“host”:“10.125.250.205:5601”,“connection”:“keep-alive”,“securitytenant”:“__user__”},“remoteAddress”:“10.91.33.121”,“userAgent”:“10.91.33.121”,“referer”:“https://10.125.250.205:5601/api/features”},“res”:{“statusCode”:200,“responseTime”:291,“contentLength”:9},“message”:"GET /customerror?type=authError 200 291ms - 9.0B”}

2

Hi hello ,
I am facing a different issue of a kind.

https://stackoverflow.com/questions/60622018/opendistro-throwing-an-error-on-accepting-a-jwt-token-from-keycloak