Kibana with OpenID (Keycloak) cannot be redirected when HTTPS is used

Security
1

Hi.
I have successfully implemented OpenID using Keycloak on ODFE version 1:11:0. Everything is working prefectly fine when Keycloak is running on HTTP. But, when I change the config.yml and kibana.yml to change URL to HTTPS version, Keycloak fails to redirect to Kibana.

My kibana.yml file:
opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “https://10.10.4.3:8443/auth/realms/realmname/.well-known/openid-configuration
opendistro_security.openid.client_id: “noob”
opendistro_security.openid.client_secret: “xxxxxxxxxxxxxxxxxxxxxxxxxxxx”

My config.yml file:

_meta:
type: “config”
config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        order: 1
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_url: https://10.10.4.3:8443/auth/realms/realmname/.well-known/openid-configuration
            subject_key: preferred_username
            roles_key: roles
        authentication_backend:
          type: noop

Keycloak Redirect URLs:
https://10.10.4.3:9443/auth/openid/login
https://10.10.4.3:9443/*

Thank you!

2

Welcome @godhelpus! This looks like topic for the security category so I’ve moved it for you.

1 Like
3

Thank you! Waiting for responses.

4

@godhelpus
Can you try the below setting:

  openid_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: "openid"
      challenge: false
      config:
        subject_key: "preferred_username"
        roles_key: "roles"
        openid_connect_url: "https://keycloak:8443/auth/realms/odfe/.well-known/openid-configuration"
        openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/keycloak_s.crt"
        openid_connect_idp.enable_ssl: true
    authentication_backend:
      type: "noop"
5

Hi @Anthony.
I did tweaked the config.yml as provided by you but still no success.
{"type":"log","@timestamp":"2021-05-18T03:49:40Z","tags":["error","plugins","opendistroSecurity"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
Also, I am using self-signed certs as described here and the certificates used by Keycloak is a non-admin certificate.
Thanks for your response, but no luck.

6

@godhelpus, can you add “verify_hostnames: false” in case its verification issue?

openid_connect_idp:
       enable_ssl: true
       verify_hostnames: false
       pemtrustedcas_filepath: /home/tls.pem

If not resolved, What certificate are you providing under “pemtrustedcas_filepath”?

7

Hello @godhelpus

I’ve noticed you’re using 1.11. Unfortunately, this version doesn’t handle self-signed certs very well. It will refuse to connect with keycloak if such is in use.

Version 1.10, 1.11 and 1.12 have the same self-signed cert problem. 1.13 got it resolved.

Also when you use IP address of the keycloak, please be sure that keycloack’s certificate has IP address in CN (Common Name) or SAN (Siubjet Alternative Name).

Could you share your kibana.yml file and OpenID config (settings tab) from keycloak?

8

@Anthony, setting hostname verification to false didn’t worked either.
I’ve been using the root-ca.pem for the pemtrustedcas_filepath: configuration.

9

@pablo, I’ll try this too and will let you know if it worked. I’ll share the configs as well.
The one I’ve been using now is:
CN=admin.odfe.net for admin certs and CN=node.odfe.net for rest of the certs, including Keycloaks’.

10

@godhelpus

If you use “https://10.10.4.3:8443/auth/realms/realmname/.well-known/openid-configuration” then certificate configured in pemtrustedcas has to have that IP in CN or SAN.

11

Thank you very much! This is what I was doing wrong.
But now, I re-created my root-ca with CN=10.10.4.3, CN=admin.odfe.net for Admin certificate and CN=node.odfe.net for Kibana and Logstash. For Keycloak, I used CN=10.10.4.3 and restarted everything. It works now!
Thank you very much for your time and help.

1 Like
12

@Anthony, The issue has been solved now. Thanks for your kind help.