Auth error while using keycloak

I am using the demo search guard scripts to initialize search guard.
Below are the relevant configuration snippets.

I always get the auth error please provide a new token error in the browser.

I checked the elastic search logs it doesn’t have any of the errors listed here -

I tried removing the roles_key from the configuration but still get the same error.

Note: I do not have role mappings.

I am running kibana and elasticsearch as rpms on centos 7

  • Your Search Guard configuration files
    http:
    anonymous_auth_enabled: true
    xff:
    enabled: false
    internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
    authc:
    basic_internal_auth_domain:
    description: “Authenticate via HTTP Basic against internal users database”
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
    type: basic
    challenge: false
    authentication_backend:
    type: internal
    openid_auth_domain:
    http_enabled: true
    order: 1
    http_authenticator:
    type: openid
    challenge: false
    config:
    openid_connect_url: https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration
    subject_key: preferred_username
    roles_key: roles
    enable_ssl: false
    verify_hosts: false
    authentication_backend:
    type: noop

  • Your elasticsearch.yml configuration file

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=desearchguard.audit.type: internal_elasticsearch
    searchguard.enable_snapshot_restore_privilege: true
    searchguard.check_snapshot_restore_write_privileges: true
    searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
    cluster.routing.allocation.disk.threshold_enabled: false
    cluster.name: searchguard_demo
    node.max_local_storage_nodes: 3
    xpack.security.enabled: false
    ######## End Search Guard Demo Configuration ########If you are using Kibana, please also add:
  • Your kibana.yml configuration file

xpack.security.enabled: falsesearchguard.cookie.password : “--------------------------------------”
searchguard.auth.type: “openid”
searchguard.openid.connect_url: “https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration”
searchguard.openid.client_id: “kibana”
searchguard.openid.client_secret: “xxxxxxx”
searchguard.cookie.secure: true

I would have expected to see some log statements in either the Kibana or Elasticsearch logs. Usually, when you get this error it means the JWT is not valid or there are some problems talking to the IdP / Keycloak.

I see that you are using https for connecting to Keycloak. What kind of certificate are you using, is it self-signed?

Is so you might need to configure the root CA used for signing the certficate in Kibana and Elasticsearch.

For the ES OpenID module please see here:

And make sure the pemtrustedcas_filepath or pemtrustedcas_content is set.

For Kibana, please make sure you configure the root CA in kibana.yml via:

searchguard.openid.root_ca: <path to root CA>

The Idp login works as expected. When browse to Kibana url I get redirected to keycloak idp url, I login correctly but then get redirected to the auth error page.

I have custom certs. I have set them correctly i.e. pemtrustedcas_filepath or pemtrustedcas_content
and searchguard.openid.root_ca:

Your last post seems to be cut off somehow … can you attach your configuration files here please?

For example, in the sg_config you posted I don’t see any configuration for the root CA and ssl is set to false:

config:
  openid_connect_url: https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration
  subject_key: preferred_username
  roles_key: roles
  enable_ssl: false
  verify_hosts: false

Also, in kibana.yml you posted initially I don’t see the searchguard.openid.root_ca setting:

xpack.security.enabled: false
searchguard.cookie.password : “--------------------------------------”
searchguard.auth.type: “openid”
searchguard.openid.connect_url: “https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration”
searchguard.openid.client_id: “kibana”
searchguard.openid.client_secret: “xxxxxxx”
searchguard.cookie.secure: true

Can you please add the configuration files directly?