We are using keycloak openid authentication in kibana.
When Kibana session remains idle for sometime (10mins) and keycloak token expires (token life span is 5 mins) in between that, after that if the user try to do filter on discover page based on a particular time period then the error pop up “Error loading data”.But manually refreshing the page can recover the access, and load the logs"
Blockquote
TypeError: Failed to fetch
at Fetch._callee3$ (https://ip/baseurl/port/bundles/commons.bundle.js:9:1989293)
at l (https://ip/baseurl/port/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:969217)
at Generator._invoke (https://ip/baseurl/port/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:968970)
at Generator.forEach.e. [as throw] (https://ip/baseurl/port/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:969574)
at asyncGeneratorStep (https://ip/baseurl/port/bundles/commons.bundle.js:9:1983787)
at _throw (https://ip/baseurl/port/bundles/commons.bundle.js:9:1984184)
When checked Elasticsearch client logs it says : “log”:“No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”}
The expectation is it should be redirected to the login page when the keycloak token gets expires.
Searchguard version used is : 7.8.0-43.0.0.
below error seen in elasticsearch client
---
# Donot change sever name and host. This is default configuration.
server.name: kibana
server.customResponseHeaders: { "X-Frame-Options": "DENY" }
server.ssl.supportedProtocols: ["TLSv1.2"]
searchguard.cookie.secure: true
# uncomment below section for keycloak authentication and provide required correct parameters
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "https://XX.XX.XXXX:XXXXX/auth/realms/master/.well-known/openid-configuration"
searchguard.openid.client_id: XXXXXXXX
searchguard.openid.client_secret: "XXXXX"
searchguard.openid.header: "Authorization"
### for kibana service on ingress port is not required
searchguard.openid.base_redirect_url: "https://XX.XX.XXXX"
### Do not change root_ca file path as this is the default mount path.
searchguard.openid.root_ca: "/XXXX/keycloak-root-ca.pem"
searchguard.openid.verify_hostnames: false
I believe the behaviour we reproduced is somewhat different to the problem you’re seeing.
Just to clarify:
when you do a full page reload, you are redirected as expected to Keycloak’s login page, correct?
would if be possible for you to check the browser’s network tab for a request that triggers the error popup? You’d be looking for a requesting returning status code 401 or 302, and it would be great if I could see what the request headers are on that request. Here’s an example of the request going out when I change the time filter in Discover:
My guess is that we for some reason can’t detect that the search request is an AJAX request, and because of that we can’t redirect to the login page properly in this case.
when you do a full page reload, you are redirected as expected to Keycloak’s login page, correct? > yes, upon a full page reload , it is redirected to keycloak’s page for authentication.
when I observed this issue “Error loading data” , this is the network tab response.
Request URL: https://10.xx.xx.xx/xxxxx/auth/openid/login?nextUrl=%2Fapp%2Fkibana%23%2Fdiscover%3F_g%3D(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3Anow-15m%2Cto%3Anow))%26_a%3D(columns%3A!(_source)%2Cfilters%3A!()%2Cindex%3Add4538a0-66bf-11eb-a10c-9b7c2ee52a23%2Cinterval%3Aauto%2Cquery%3A(language%3Akuery%2Cquery%3A%27%27)%2Csort%3A!())
Request Method: GET
Status Code: 302
Remote Address: 10.xx.xx.xx:443
Referrer Policy: strict-origin-when-cross-origin
Is there any request before the one you sent that returns a 401 or 302?
There are two things I’m looking for:
Request URL should be something different than /auth/openid/login
The following request (not response) headers on that previous request: Content-Type or Accept.
In my screenshot above you can see that Content-Type is set to “application/json”
If none of those headers are set, we can’t detect an AJAX request at the moment.
Feel free to use @Mike in you answer, then I should get a notification.
Thanks, and sorry again for the late response.
Mike