According to your config and error. You’re trying to reach keycloak on port 32788.
Did you change Keycloak’s default HTTPS port 8443 to 32788?
openid_connect_url points to ‘https:///access/realms/master/.well-known/openid-configuration’
In my config, that URL is ‘https:///auth/realms/master/.well-known/openid-configuration’
To verify that, copy the URL from openid_connect_url to your browser. That should return the following output.
Hi,
I m using k8s environment. I have deployed Keycloak using NodePort. So for me keycloak url is accessible via 32788.
Purposely I made keycloak service down and Kibana had above mentioned error log. Then checked OD security endpoint health using /api/status. The status says green(ideally it should have been Red).
I can get red status on the security plug-in in ODFE 1.9 only during Kibana startup. Plug-in doesn’t turn red when keycloak is turned off after successful Kibana startup.
As per my tests, since version 1.10, Kibana will start and load security plug-in successfully even when keycloak is down. (OpenID scenario)
Hi,
Yes I have tried the scenario on OD security plugin 1.9. In that during startup of Kibana, it tries to connects to keycloak endpoint and if it is not reachable plugin status turns to Red.
But the same scenario in OD security plugin 1.13.x doesn’t turn Red. Why is it so?
It looks like the design change. When you look at the logs in 1.13.x you will see that connectivity test is still performed and connectivity issue reported, but the default behaviour is not to fail Kibana start-up.
As you said, the documentation doesn’t explain this behaviour. The best place to ask such a question is GitHub, where Dev can answer.
Still, I think that the plug-in config is validated only during Kibana start-up and not actively monitored. If Keycloak will go offline then the plug-in status will remain green in both 1.9.0 and 1.13.x.
Maybe you should consider monitoring the IdP (i.e. Keycloak) with IP or API query in such a case.