Kibana OpenID Connect does not redirect to IDP (IdentityServer4)

plele-ssc · December 18, 2020, 12:13am

I’ve been trying to get this working for a few days now, but no luck. The expectation here is that if the user is not authenticated, Kibana should redirect to the IDP login endpoint. This does not happen. Instead, I keep getting the following response when I try to access Kibana for the first time:

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

The logs indicate that Kibana does route from the root to the oidc route. But from there, it does not redirect to the idp auth endpoint for some reason. I should add that if I manually inject a valid token to the request, Kibana does allow access using the user in the token.

The redirect to the identity provider does not happen.

Any help would be greatly appreciated!

Kibana logs:

{“type”:“log”,“timestamp”:“2020-12-18T00:07:30Z”,“tags”:[“debug”,“http”,“server”,“Kibana”,“cookie-session-storage”],“pid”:11360,“message”:“Error: Unauthorized”}

{“type”:“response”,“timestamp”:“2020-12-18T00:07:30Z”,“tags”:,“pid”:11360,“method”:“get”,“statusCode”:401,“req”:{“url”:“/favicon.ico”,“method”:“get”,“headers”:{“cache-control”:“no-cache”,“connection”:“Keep-Alive”,“pragma”:“no-cache”,“accept”:“image/avif,image/webp,image/apng,image/,/;q=0.8",“accept-encoding”:“gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9”,“host”:“”,“max-forwards”:“10”,“referer”:“/auth/openid/login?nextUrl=%2F”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”,“sec-ch-ua”:“"Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"”,“sec-ch-ua-mobile”:“?0”,“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“no-cors”,“sec-fetch-dest”:“image”,“x-original-url”:“/favicon.ico”,“x-forwarded-for”:“<>”,“x-arr-ssl”:“”,“x-arr-log-id”:“7f42fe43-8902-4bcd-8c32-8ea1c533d80a”},“remoteAddress”:"<**>”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”,“referer”:“/auth/openid/login?nextUrl=%2F”},“res”:{“statusCode”:401,“responseTime”:0,“contentLength”:9},“message”:“GET /favicon.ico 401 0ms - 9.0B”}

config.yml
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: “internal”
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: <subject_key>
roles_key: <role_key>
openid_connect_url: /.well-known/openid-configuration
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: “”
authentication_backend:
type: noop
authz:

kibana.yml
opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “/.well-known/openid-configuration”
opendistro_security.openid.client_id: <client_id>
opendistro_security.openid.client_secret:
opendistro_security.openid.scope: “openid profile web.api”
opendistro_security.openid.base_redirect_url: “<kibana_host>”
opendistro_security.openid.root_ca: “<path_to_cert>”
opendistro_security.openid.verify_hostnames: false

tvendetta-sy · December 21, 2020, 7:48pm

I’m using the latest version of opendistro ES and Kibana and also running into this issue.

Very similar setup as described above, basically everything taken from the documentation verbatim.

plele-ssc · December 21, 2020, 8:30pm

These open issues on github seem related to this.

it looks like the oidc auth handler route isn’t being parsed correctly in the kibana plugin.

plele-ssc · January 16, 2021, 2:48am

In case anyone finds this thread via search: this ticket is related too.

Anthony · February 3, 2021, 8:48pm

@plele-ssc did you try solution in Missing important parameter in OpenID configuration

plele-ssc · February 3, 2021, 8:59pm

Yes. It didn’t help.

Anthony · March 15, 2021, 4:05pm

@plele-ssc Just to confirm the full openid_connect_url was actually used in both files but first part was redacted?
So full url looks something like this? (keycloak example):
https://<idp_host>/auth/realms/<realm_name>/.well-known/openid-configuration

plele-ssc · March 15, 2021, 6:39pm

Yes, that’s right. Full url was added in both config files, but host was redacted here.

joshblease · April 21, 2021, 8:15am

@plele-ssc, did you manage to solve this? I’m having the same issue as you but since they did some GitHub “housekeeping” I’m struggling to find any further advice.

plele-ssc · April 21, 2021, 2:02pm

@joshblease I struggled to find advice even before the housekeeping, tbh. It seems to work well with keycloak, but not that much information out there about IdentityServer.

Anyhow - I was not able to solve this, and ended up not implementing OIDC login.

joshblease · April 21, 2021, 2:21pm

Okay @plele-ssc, I managed to figure it out but it wasn’t easy and I’ve had to fork the security plugin repo to come up with a “fix” (my knowledge of node is limited and I can’t commit back a change of good quality). I’ll document my solution here:

I use self signed certs for Elasticsearch & Kibana, however I am using Okta as my IdP so your mileage may vary. The only ways to authenticate in my setup are with client certs or SSO.

This is my ES security config (make sure to use securityadmin.sh to load the new config and refresh the cache if you change this:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    kibana:
      multitenancy_enabled: true
      server_username: kibanaserver
      index: '.kibana'
    do_not_fail_on_forbidden: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn
          challenge: false
        authentication_backend:
          type: noop
      openid_auth_domain:
        description: "Authenticate via OAuth"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: name
            roles_key: groups
            openid_connect_url: https://dev-999999.okta.com/oauth2/default/.well-known/openid-configuration
        authentication_backend:
          type: noop

The Kibana config is as follows (there may be some unnecessary config here but it works ):

elasticsearch.preserveHost: true
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/api/authtoken"]
elasticsearch.ssl.certificate: /etc/kibana/kibana.crt
elasticsearch.ssl.key: /etc/kibana/kibana.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.crt" ]
elasticsearch.ssl.verificationMode: certificate
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: false
opendistro_security.multitenancy.enable_filter: false
elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant", "jwtToken", "securitytenant"] 
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://dev-999999.okta.com/oauth2/default/.well-known/openid-configuration"
opendistro_security.openid.client_id: "id-from-idp"
opendistro_security.openid.client_secret: "secret-from-idp"
opendistro_security.openid.base_redirect_url: "https://kibana.myhost.com/" 
opendistro_security.openid.header: "Authorization"

I finally modified the OpenID plugin which is found at /usr/share/kibana/plugins/opendistroSecurityKibana/server/auth/types/openid. The problem is that the plugin doesn’t register then endpoints before kibana starts up and so it never works. I replace the init method in openid_auth.js with the following (be sure to remove the async keyword too)

init() {
    try {
        this.openIdAuthConfig.authorizationEndpoint = "https://dev-999999.okta.com/oauth2/default/v1/authorize";
        this.openIdAuthConfig.tokenEndpoint = "https://dev-999999.okta.com/oauth2/default/v1/token";
        this.openIdAuthConfig.endSessionEndpoint = "https://dev-999999.okta.com/oauth2/default/v1/logout";
        const routes = new _routes.OpenIdAuthRoutes(this.router, this.config, this.sessionStorageFactory, this.openIdAuthConfig, this.securityClient, this.coreSetup, this.wreckClient);
        routes.setupRoutes();
    } catch (error) {
        this.logger.error(error); // TODO: log more info
        throw new Error('Failed when trying to obtain the endpoints from your IdP');
    }
}

I’m trying to build the new plugin now at this fork if you’re interested - GitHub - OpenSource-THG/security-kibana-plugin

plele-ssc · April 21, 2021, 4:30pm

Thanks for the update, I appreciate it!
I’ll check out the link.

Topic		Replies	Views
Kibana OIDC Okta Integration redirecting straight to ${KIBANA_URL}/auth/openid/login with 401 Security	2	526	June 28, 2021
OpenID Connect in Kibana Open Distro: too_many_redirects Security	18	1265	November 15, 2021
Kibana doesn't redicrt to login-page Security	4	712	February 17, 2021
Kibana oidc with keycloak perpetual redirect Security	9	2012	December 16, 2021
Kibana 401 unauthorized error Security	12	4870	July 19, 2022

Kibana OpenID Connect does not redirect to IDP (IdentityServer4)

Related Topics