Authentication failed. Please provide a new token

Hi,

I tried to configure Kibana Single Sign-On with OpenID and Keycloak. However I receive the error “Authentication failed. Please provide a new token.” in Kibana

----------------* Search Guard configuration files*----------------
openid_auth_domain:
enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: http://192.168.152.143:8080/auth/realms/Test/.well-known/openid-configuration
subject_key: preferred_username
roles_key: roles
enable_ssl: false
verify_hostnames: false
authentication_backend:
type: noop

------------* * elasticsearch.yml configuration file**---------------------------------
xpack.security.enabled: false

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

----------------** kibana.yml configuration file**-----------------------

elasticsearch.hosts: “https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “openid”

the IdP metadata endpoint

searchguard.openid.connect_url: “http://192.168.152.143:8080/auth/realms/Test/.well-known/openid-configuration

the ID of the OpenID Connect client in your IdP

searchguard.openid.client_id: “kibana-sso”

searchguard.openid.client_secret: “25c3e23f-b7df-42c6-a640-793def4d32f0”
searchguard.openid.verify_hostnames: false

xpack.security.enabled: false
server.ssl.enabled: true
server.ssl.key: /kibana-7.3.0-windows-x86_64/kibana-7.3.0-windows-x86_64/config/certs/instance/instance.key
server.ssl.certificate: /kibana-7.3.0-windows-x86_64/kibana-7.3.0-windows-x86_64/config/certs/instance/instance.crt

This can have several reasons. Do you see anything in the Elasticsearch or Kibana logfiles?

Can you please set the Elasticsearch log level to debug:

And then try again? You should see an error message in the logfile, please post it here.

Hi,

I turned the log level to debug mode however i can’t see any significant error message in the logs.

The logs as per following:

[2019-08-14T16:07:59,526][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Aliases for .kibana_1: [.kibana=>{
“.kibana” : { }
}]
[2019-08-14T16:07:59,526][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] sgr: [SGS_ALL_ACCESS, SGS_OWN_INDEX]
[2019-08-14T16:07:59,526][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Aliases for .kibana_1: [.kibana=>{
“.kibana” : { }
}]
[2019-08-14T16:07:59,527][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [DESKTOP-BN85TH6] raw requestedTenant: ‘null’
[2019-08-14T16:07:59,526][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Aliases for .kibana_1: [.kibana=>{
“.kibana” : { }
}]
[2019-08-14T16:07:59,527][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] sgr2: [SGS_ALL_ACCESS, SGS_OWN_INDEX]
[2019-08-14T16:07:59,527][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] .kibana is not an alias or does not have a filter
[2019-08-14T16:07:59,527][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] .kibana is not an alias or does not have a filter
[2019-08-14T16:07:59,534][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Allowed because we have all indices permissions for indices:data/read/get
[2019-08-14T16:07:59,531][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Aliases for .kibana_1: [.kibana=>{
“.kibana” : { }
}]
[2019-08-14T16:07:59,534][DEBUG][c.f.s.f.SearchGuardFilter] [DESKTOP-BN85TH6] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/read/get], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-14T16:07:59,526][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] sgr2: [SGS_ALL_ACCESS, SGS_OWN_INDEX]
[2019-08-14T16:07:59,538][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Aliases for .kibana_1: [.kibana=>{
“.kibana” : { }
}]
[2019-08-14T16:07:59,539][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] .kibana is not an alias or does not have a filter
[2019-08-14T16:07:59,554][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Allowed because we have all indices permissions for indices:data/read/get
[2019-08-14T16:07:59,534][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Allowed because we have all indices permissions for indices:data/read/get
[2019-08-14T16:07:59,528][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] .kibana is not an alias or does not have a filter
[2019-08-14T16:07:59,536][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] .kibana is not an alias or does not have a filter
[2019-08-14T16:07:59,528][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [DESKTOP-BN85TH6] request class org.elasticsearch.action.search.SearchRequest
[2019-08-14T16:07:59,556][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Allowed because we have all indices permissions for indices:data/read/search
[2019-08-14T16:07:59,555][DEBUG][c.f.s.f.SearchGuardFilter] [DESKTOP-BN85TH6] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/read/get], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-14T16:07:59,555][DEBUG][c.f.s.f.SearchGuardFilter] [DESKTOP-BN85TH6] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/read/get], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-14T16:07:59,547][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Check authdomain for rest internal/4 or 1 in total
[2019-08-14T16:07:59,577][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Check authdomain for rest internal/4 or 1 in total
[2019-08-14T16:07:59,582][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Rest user ‘User [name=admin, backend_roles=[admin], requestedTenant=null]’ is authenticated
[2019-08-14T16:07:59,559][DEBUG][c.f.s.f.SearchGuardFilter] [DESKTOP-BN85TH6] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/read/search], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-14T16:07:59,557][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Allowed because we have all indices permissions for indices:data/read/get
[2019-08-14T16:07:59,592][DEBUG][c.f.s.f.SearchGuardFilter] [DESKTOP-BN85TH6] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/read/get], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-14T16:07:59,558][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Result from privileges interceptor: null
[2019-08-14T16:07:59,587][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] sgtenant ‘null’
[2019-08-14T16:07:59,577][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Rest user ‘User [name=admin, backend_roles=[admin], requestedTenant=null]’ is authenticated
[2019-08-14T16:07:59,602][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] ### evaluate permissions for User [name=admin, backend_roles=[admin], requestedTenant=null] on DESKTOP-BN85TH6
[2019-08-14T16:07:59,584][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Check authdomain for rest internal/4 or 1 in total
[2019-08-14T16:07:59,599][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] sgr2: [SGS_ALL_ACCESS, SGS_OWN_INDEX]
[2019-08-14T16:07:59,603][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] action: indices:data/read/get (GetRequest)
[2019-08-14T16:07:59,606][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] Aliases for .kibana_1: [.kibana=>{
“.kibana” : { }
}]
[2019-08-14T16:07:59,599][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Check authdomain for rest internal/4 or 1 in total
[2019-08-14T16:07:59,599][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Check authdomain for rest internal/4 or 1 in total
[2019-08-14T16:07:59,605][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Rest user ‘User [name=admin, backend_roles=[admin], requestedTenant=null]’ is authenticated
[2019-08-14T16:07:59,607][DEBUG][c.f.s.r.IndexResolverReplacer] [DESKTOP-BN85TH6] Resolve aliases, indices and types from GetRequest
[2019-08-14T16:07:59,609][DEBUG][c.f.s.p.PrivilegesEvaluator] [DESKTOP-BN85TH6] .kibana is not an alias or does not have a filter
[2019-08-14T16:07:59,609][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] Rest user ‘User [name=admin, backend_roles=[admin], requestedTenant=null]’ is authenticated
[2019-08-14T16:07:59,603][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] sgtenant ‘null’
[2019-08-14T16:07:59,614][DEBUG][c.f.s.a.BackendRegistry ] [DESKTOP-BN85TH6] sgtenant ‘null’