Issue with openid/keycloak causing infinite redirects with Helm

I have been trying to set up a Helm deployment with kibana set up to work with keycloak with AzureAD as an Identity Provider.

It works in the sense that when I go to kibana, it forwards me to keycloak, authenticates me and sends me back to kibana. But then kibana doesn’t know I’m authenticated and sends me back again and so on until I get an error for redirect loop.

This is ODFE 1.13.1

I configured the keycloak client with “Authorization Code Flow”. It has “https://kibana.my.domain.azure.com/” as base/root URI and “https://kibana.my.domain.azure.com/auth/openid/login” as redirect URIs

I’m using a config.yml as so:

_meta:
  type: "config"
  config_version: 2
config:
  enable_ssl: true
  verify_hostnames: false
  pemtrustedcas_filepath: "/usr/share/elasticsearch/certs/elk-rest-root-ca.pem"
  dynamic:
    filtered_alias_mode: "warn"
    disable_rest_auth: false
    disable_intertransport_auth: false
    respect_request_indices_options: false
    license: null
    #kibana:
    #  multitenancy_enabled: true
    #  server_username: kibanaserver
    #  index: '.kibana'
    http:
      anonymous_auth_enabled: false

    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://keycloak.my.domain.azure.com/auth/realms/artika/.well-known/openid-configuration
        authentication_backend:
          type: noop

With the relevant values in the Helm config being

    opendistro_security.cookie.secure: true
    opendistro_security.cookie.password: "zzzzzzz"
    elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant","jwtToken", "securitytenant"] 
    opendistro_security.auth.type: "openid"
    opendistro_security.openid.connect_url: "https://keycloak.my.domain.azure.com/auth/realms/artika/.well-known/openid-configuration"
    opendistro_security.openid.client_id: "elastic"
    opendistro_security.openid.client_secret: "yyyyyyyyy"
    opendistro_security.openid.base_redirect_url: "https://kibana.my.domain.azure.com/" 
    opendistro_security.openid.root_ca: "/usr/share/kibana/certs/kibana-root-ca.pem" 

And here is what it looks like in the network tab:

I have exactly the same problem. The initial foward to keycloak works as expected, authentication and code to token exchange seems to work. But Kibana still keeps redirecting to keycloak in a loop.

@gdd314596 Can you try “https://kibana.my.domain.azure.com/*” as redirect URIs?

What proxy do you use?

So we did get this working and I’ll provide a snippet from the working config.yaml . The key is to have OAuth go first and add exceptions for some roles - i believe OAuth will authenticate the user but then do actions as the kibanaserver user so we don’t want to try to OAuth that.

    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal

      openid_auth_domain:
        description: "Authenticate via OAuth"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://mykeycloak.azure.com/auth/realms/MYREALM/.well-known/openid-configuration
            openid_connect_idp.enable_ssl: true
            openid_connect_idp.verify_hostnames: true
            openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/elk-transport-root-ca.pem"
            jwks_uri:  https://mykeycloak.azure.com/auth/realms/MYREALM/protocol/openid-connect/certs
            skip_users:
              - kibanaro
              - kibanaserver
              - logstash
              - adminp
              - admin
              - filebeat_internal
              - kibanauser
        authentication_backend:
          type: noop

I have a very similar issue to you, except I am trying to use the AWS Cognito OpenID feature (aka Cognito Hosted UI) as my identity provider,

After setting my callback/redirect URIs to include both https://<kibanaserver> and https://<kibanaserver>/auth/openid/login I have Cognito forwarding back to Kibana, before going into what appears to be the same loop. Obviously my URLs are slightly different as I’m using a different identity provider, but it appears to be the same issue when comparing my network calls to yours.

I’ve tried to set my securityconfig/config.yaml as you have described where openid comes first but skipping the kibanaserver user followed by the basic internal auth domain, but it does not appear to resolve the issue.

Do you think there’s any other relevant config perhaps omitted? I can’t think of what other files would be relevant, but I am grasping at straws…

Half-related thread I found: Redirect Mismatch Error (OIDC - AWS Cognito) - #6 by nick_cloud