OpenID Connect. Authentication finally failed

Security
1

Hi,

I am trying to follow what it is explained in https://opendistro.github.io/for-elasticsearch-docs/docs/security/openid-connect/.

My complete configuration file is:

opendistro_security:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: http://keycloak:8080/auth/realms/master/.well-known/openid-configuration
        authentication_backend:
          type: noop

Elasticsearch seems to start properly but when I try to call to the API using a token obtained from Keycloak, I get the following error:

elasticsearch_1  | [2019-05-22T14:11:26,089][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [4nyZqQ2] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
elasticsearch_1  | [2019-05-22T14:11:26,091][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [4nyZqQ2] Failed to get roles from JWT claims with roles_key 'roles'. Check if this key is correct and available in the JWT payload.
elasticsearch_1  | [2019-05-22T14:11:26,094][INFO ][c.a.o.s.p.PrivilegesEvaluator] [4nyZqQ2] No cluster-level perm match for User [name=test, roles=[], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [cluster:monitor/main]] [RolesChecked [own_index]]
elasticsearch_1  | [2019-05-22T14:11:26,096][INFO ][c.a.o.s.p.PrivilegesEvaluator] [4nyZqQ2] No permissions for [cluster:monitor/main]
elasticsearch_1  | [2019-05-22T14:14:33,729][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [4nyZqQ2] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
elasticsearch_1  | [2019-05-22T14:14:33,730][WARN ][c.a.o.s.a.BackendRegistry] [4nyZqQ2] Authentication finally failed for null from 172.21.0.1:34012
2

The JWT token you are using does not have a valid structure (roles_key ‘roles’) means it expect to have a claim field named “roles” at the root of your JWT token.

3

@daniel.calvo Did you get this resolved?