OpenId with opendisto 1.12

Has anyone tried opendistro 1.12 in OpenId ? I have previously obtained a proper OpenId configuration for version 1.11 with a Keycloak ID Provider. Using version 1.12 with the same configuration, however, the Keycloak login page is not reached. I get a 401 instead. Parameters in the url are not right at all. How different should the configuration with version 1.12 be from version 1.11 ?

Best regards,

Nicholson

2 Likes

Hello!

Today I tried to update from opendistro 1.9 to 1.12 that i’m using with keycloak but I encountered the same problem as you describe above.

I opened an issue explaining the problem after search in the code of the repo and not found diferences with the older version:

https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/672

If you find something more please tell me, otherwhise i still use the ODFE 1.9

Good to know about this. I think that I will then pass 1.12 as I just got OIDC working with 1.11 after a long fight.

@JiiHoo / @nicholson could you please post some parts of kibana.yml and elasticsearch.yml config files?

I’m trying to update from 1.9 to 1.11 but with the same configuration it says in browser:

{"statusCode":403,"error":"Forbidden","message":"Request failed authentication."}

When kibana is starting I can view this in logs:

{"type":"log","@timestamp":"2021-02-02T12:09:20Z","tags":["error","plugins","opendistroSecurity"],
"pid":1,"message":"{ Error: unable to verify the first certificate\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1088:34)\n    
at TLSSocket.emit (events.js:198:13)\n    at TLSSocket._finishInit (_tls_wrap.js:666:8)\n  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',\n  
trace:\n   [ { method: 'GET',\n       url:\n        'https://sso.intranet.kuberme.aws/auth/realms/master/.well-known/openid-configuration' } ],\n  
isBoom: true,\n  isServer: true,\n  data: null,\n  output:\n   { statusCode: 502,\n     payload:\n      { message:\n         
'Client request error: unable to verify the first certificate',\n        statusCode: 502,\n        error: 'Bad Gateway' },\n     headers: {} } }"}

But I don’t know if it’s an error on not because I can use curl with the selfsigned cert to keycloak and it responds correctly.

My kibana.yml security info is:

opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “https://{SSO_DOMAIN}/auth/realms/master/.well-known/openid-configuration”
opendistro_security.openid.base_redirect_url: “https://{KIBANA_DOMAIN}/”
opendistro_security.openid.client_id: “kuberme-kibana”
opendistro_security.openid.client_secret: “secret-id-value”
opendistro_security.openid.root_ca: “/usr/share/kibana/config/root-ca.pem”
opendistro_security.allow_client_certificates: “true”

Where kibana_domain and sso_domain are the hostnames of my kibana and keycloak. HAve you got some addition params?

Thanks in advance

With Kibana, I have below config in use. Some of the settings might be unnecessary as I was trying various things to get it working:

server.name: kibana
server.host: “0.0.0.0”
elasticsearch.hosts: ${ELASTICSEARCH_URL}
elasticsearch.requestTimeout: 360000
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/kibana-key.pem
server.ssl.certificate: /usr/share/kibana/config/kibana-crt.pem
elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/kibana-root-ca.pem
elasticsearch.ssl.verificationMode: none
elasticsearch.username: “kibanaserver”
elasticsearch.password: “xxx”
elasticsearch.requestHeadersWhitelist: [“Authorization”, “security_tenant”, “securitytenant”]
opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “https://xxx/auth/realms/yyy/.well-known/openid-configuration”
opendistro_security.openid.client_id: “kibana”
opendistro_security.openid.client_secret: “xxx”
opendistro_security.openid.root_ca: “/usr/share/kibana/config/keycloak-root-ca.pem”
opendistro_security.openid.base_redirect_url: “https://xxx”
opendistro_security.cookie.secure: false
opendistro_security.cookie.password: “xxx”
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
logging.verbose: false

See also this discussion, it has more information available: OpenID authentication and "Authentication finally failed for null"

Thanks! I’ll review my config looking your solution and visit the discussion that you share to find the correct way to perform the upgrade.

I’ve done some testing and 1.10, 1.11 and 1.12 produced the same error when I used signed cert.

Error: unable to verify the first certificate

However, 1.9 and 1.13 worked perfectly. My IDP root ca is the SSL chain (signed cert + root CA)

opendistro_security.openid.root_ca: “/usr/share/kibana/config/root-ca.pem”

Root CA is internal and is self signed. Maybe that is the issue. What did you use as root CA cert for opendistro_security.openid.root_ca? Do you have your certs signed externally?

I had similar behavior when I used self-signed certificate. 1.10, 1.11, 1.12 failed to connect with IDP reporting self-signed certificate as error. 1.9 and 1.13 connected to IDP with self-signed cert with no issues.

Hi @pablo ,

Thanks for the answer, I’ll try it and it works as you say.