Kibana 401 unauthorized error


We have been struggling with 401 unauthorized error for openID integration (Keycloak as IdP) for Kibana with openDistro security plugin

The authentication integration works fine for the 1st time. But once we restart the kibana we are getting the 401 unauthorized error. To make kibana work we need to delete the .kibana index every time we restart kibana.

We also observed that the security_authentication cookies is not getting created after the kibana restart which could be the cause of the 401 unauthorized error.

Below are the configs we have used


elasticsearch.username: "user"
elasticsearch.password: "pass"
elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://<keycloak_ip>/auth/realms/<realm_name>/.well-known/openid-configuration"
opendistro_security.openid.client_id: "client"
opendistro_security.openid.base_redirect_url: "http://<kibana>:5601"
opendistro_security.openid.root_ca: "<root_ca_certificate>"

Elasticsearch config.yml

        http_enabled: true
        transport_enabled: true
        order: 0
          type: openid
          challenge: false
            subject_key: preferred_username
            roles_key: roles
            enable_ssl: true
            verify_hostnames: true
            openid_connect_url: https://<keycloak_ip>/auth/realms/<realm_name>/.well-known/openid-configuration
          type: noop
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
          type: basic
          challenge: true
          type: internal
1 Like

Is the configuration you provided complete or there are parts excluded, like openid.client_secret?

Also, can you confirm which odfe version you are using?

@Anthony Thanks for reply
This is the complete configuration & as the keycloak client has a public access type so client_ secret is not set.

The ODFE version is

Update 05/08/2021

We tried integrating with Azure AD trial account & we are seeing the same behavior that after the restart of kibana getting 401 unauthorized.

Here in this integration we have included openid.client_secret in the kibana config.

I managed to reproduce your error, looking into it now

@Ajay Still looking into this, My local testing seems to indicate that the issue was introduced in 1.13.1, but was working fine in 1.13.0, as a temporary workaround have you tried 1.13.0?

@Anthony As a workaround we had downgraded the setup version to see if it works for older version.
Elasticsearch : 7.10.0
Kibana : 7.10.0
Opendistro :
But facing the same issue of 401 unauthorized after kibana restart.

We have not tried the ODFE 1.13.0 will check on that.

@Anthony Can you please provide the link for kibana_security_plugin- We are getting access denied when trying to download by changing the version number in plugin install URL.
We are able to install Opendistro_security_plugin for elasticsearch-

PS: We are having doubt about this working as it is not working for opendistro

@Ajay elasticsearch plugin:

kibana plugin:

However I have tested using docker-compose, with simply changing the images to:


I can also confirm using this testing environment 1.12.0 has the issue, but 1.13.0 doesn’t.

@Anthony Thanks for the response by changing the opendistro security to 1.13.0 resolved the issue.

@Ajay Could you submit a bug report for this using below link to bring awareness to the dev team:

1 Like

I meet the same issue, first time is fine, but got the error message after restart:

the opensearch version is 2.1

I find the issue same as:

1 Like