Kibana/Opendistro not getting ID token when using OIDC

Im trying to configure kibana/openditro to use OIDC through Okta, and I got it to work to the point that I can log in. The problem is that from what I can tell, OD/Kibana isnt asking for the ID token which will have the roles from Okta, which are supposed to be assigned to that user. How would I go about getting that ID token?

The current redirect to Okta is the following:

/oauth2/v1/authorize?client_id={{MY_CLIENT_ID}}&response_type=code&redirect_uri={{MY_APP_URI}}&state={{STATE}}&scope=openid%20profile%20email%20address%20phone%20groups

@retorpigs How did you assign roles to the users in Okta?

During my testing I created a Group (for example - Admins), then added this group to the relevant users. Then created added custom claim that looks like this:

Screenshot 2022-01-31 at 15.48.161756×1244 41.7 KB

In config.yml I added roles_key: “roles” and created a roles_mapping from admins to all_access.

Can you catch and examine your JWT? Is the roles key present?

Im doing the same as you. The problem is that as far as I can tell, kibana isnt even asking Okta for the JWT, only the auth code.

@retorpigs What makes you think this? You would not see the JWT in the url.
If you are using OIDC and are able to login, I would guess the JWT is indeed being passed. You just need to somehow capture it to decode and examine.

I’m not aware of a way to use built in logging to display JWT.

Alternatively, I can upload my docker-compose config with okta implementation to github and you can try it and compare to your one. Will this help?

I passed many tens of logins through Burpsuite proxy and looked at all the traffic being exchanged between Kibana and Okta, and never saw a token being passed.
Its moot now anyway becasue I got SAML working.
Thanks for your help!