I have been trying to set up a Helm deployment with kibana set up to work with keycloak with AzureAD as an Identity Provider.
It works in the sense that when I go to kibana, it forwards me to keycloak, authenticates me and sends me back to kibana. But then kibana doesn’t know I’m authenticated and sends me back again and so on until I get an error for redirect loop.
This is ODFE 1.13.1
I configured the keycloak client with “Authorization Code Flow”. It has “https://kibana.my.domain.azure.com/” as base/root URI and “https://kibana.my.domain.azure.com/auth/openid/login” as redirect URIs
I’m using a
config.yml as so:
# multitenancy_enabled: true
# server_username: kibanaserver
# index: '.kibana'
With the relevant values in the Helm config being
elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant","jwtToken", "securitytenant"]
And here is what it looks like in the network tab:
I have exactly the same problem. The initial foward to keycloak works as expected, authentication and code to token exchange seems to work. But Kibana still keeps redirecting to keycloak in a loop.
@gdd314596 Can you try “https://kibana.my.domain.azure.com/*” as redirect URIs?
What proxy do you use?
So we did get this working and I’ll provide a snippet from the working
config.yaml . The key is to have OAuth go first and add exceptions for some roles - i believe OAuth will authenticate the user but then do actions as the kibanaserver user so we don’t want to try to OAuth that.
description: "Authenticate via HTTP Basic against internal users database"
description: "Authenticate via OAuth"
I have a very similar issue to you, except I am trying to use the AWS Cognito OpenID feature (aka Cognito Hosted UI) as my identity provider,
After setting my callback/redirect URIs to include both
https://<kibanaserver>/auth/openid/login I have Cognito forwarding back to Kibana, before going into what appears to be the same loop. Obviously my URLs are slightly different as I’m using a different identity provider, but it appears to be the same issue when comparing my network calls to yours.
I’ve tried to set my
securityconfig/config.yaml as you have described where openid comes first but skipping the
kibanaserver user followed by the basic internal auth domain, but it does not appear to resolve the issue.
Do you think there’s any other relevant config perhaps omitted? I can’t think of what other files would be relevant, but I am grasping at straws…
Half-related thread I found: Redirect Mismatch Error (OIDC - AWS Cognito) - #6 by nick_cloud