Kibana 7.17.7 & openid 'redirect_uri' parameter is not a valid

peter82 · January 25, 2023, 9:10am

Elasticsearch version:
7.17.7 , same as kibana, FLX 1.1.0

according documentation we should use server.publicBaseUrl instead of searchguard.frontend_base_url but it doesnt work.
Kibana OIDC Quick Start | Security for Elasticsearch | Search Guard (search-guard.com)

Error details: MSIS9224: Received invalid OAuth authorization request. The received 'redirect_uri' parameter is not a valid registered redirect URI for the client identifier: 'urn:apps:kibana:env-project'. Received redirect_uri: 'https://kibana.cz/env-projectauth/openid/login'.

there is a forward slash missing after basePath env-project !!

THIS WORKS:

server.publicBaseUrl: "https://kibana.cz/env-project"
server.basePath: /env-project
searchguard.frontend_base_url: "https://kibana.cz/env-project/"

THIS DOESN’T:

server.publicBaseUrl: "https://kibana.cz/env-project"
server.basePath: /env-project

pablo · January 30, 2023, 11:24am

@peter82 As per Search Guard documentation the searchguard.frontend_base_url was designed for the Kibana version older than 7.11.
Elastic has introduced a new parameter in 7.11 called server.publicBaseUrl and that can be used instead.

I’ve noticed that in your example the error states:

Received redirect_uri: 'https://kibana.cz/env-projectauth/openid/login

That would match:

server.publicBaseUrl: "https://kibana.cz/env-project"

Your first example worked as “searchguard.frontend_base_url:” had “/” at the end of the URL.
Try the below solution.

server.publicBaseUrl: "https://kibana.cz/env-project/"
server.basePath: /env-project

peter82 · January 30, 2023, 12:22pm

Hi Pablo, yes I have already tried all that before posting…

You cannot use forward slash in server.publicBaseUrl becase it has to match exactly server.basePath. And server.basePath has to start with forward slash but cannot end with one. So dead end.

system · February 20, 2023, 12:22pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

pablo · February 27, 2023, 10:04am

Hi @peter82,

I’ve reproduced your scenario and will report this as a bug to the Search Guard Dev team.

peter82 · February 27, 2023, 10:46am

@pablo perfect thanks, I will keep an eye on release notes.

Topic		Replies	Views
Custom OpenID Connect Redirect URL Search Guard	1	985	August 24, 2018
OpenID authorization OPTIONS request Search Guard	9	2211	March 5, 2020
Cannot reach Kibana dashboard URL after Keycloak (openid) login Search Guard	18	2860	May 19, 2021
Workaround to OIDC link handling added in v51.0? Search Guard	6	2210	February 23, 2022
New release: Search Guard 53 Announcements	1	1775	March 9, 2022

Kibana 7.17.7 & openid 'redirect_uri' parameter is not a valid

Related Topics