Kibana 7.17.7 & openid 'redirect_uri' parameter is not a valid

peter82 · January 25, 2023, 9:10am

Elasticsearch version:
7.17.7 , same as kibana, FLX 1.1.0

according documentation we should use server.publicBaseUrl instead of searchguard.frontend_base_url but it doesnt work.
Kibana OIDC Quick Start | Security for Elasticsearch | Search Guard (search-guard.com)

Error details: MSIS9224: Received invalid OAuth authorization request. The received 'redirect_uri' parameter is not a valid registered redirect URI for the client identifier: 'urn:apps:kibana:env-project'. Received redirect_uri: 'https://kibana.cz/env-projectauth/openid/login'.

there is a forward slash missing after basePath env-project !!

THIS WORKS:

server.publicBaseUrl: "https://kibana.cz/env-project"
server.basePath: /env-project
searchguard.frontend_base_url: "https://kibana.cz/env-project/"

THIS DOESN’T:

server.publicBaseUrl: "https://kibana.cz/env-project"
server.basePath: /env-project

pablo · January 30, 2023, 11:24am

@peter82 As per Search Guard documentation the searchguard.frontend_base_url was designed for the Kibana version older than 7.11.
Elastic has introduced a new parameter in 7.11 called server.publicBaseUrl and that can be used instead.

I’ve noticed that in your example the error states:

Received redirect_uri: 'https://kibana.cz/env-projectauth/openid/login

That would match:

server.publicBaseUrl: "https://kibana.cz/env-project"

Your first example worked as “searchguard.frontend_base_url:” had “/” at the end of the URL.
Try the below solution.

server.publicBaseUrl: "https://kibana.cz/env-project/"
server.basePath: /env-project

peter82 · January 30, 2023, 12:22pm

Hi Pablo, yes I have already tried all that before posting…

You cannot use forward slash in server.publicBaseUrl becase it has to match exactly server.basePath. And server.basePath has to start with forward slash but cannot end with one. So dead end.

system · February 20, 2023, 12:22pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

pablo · February 27, 2023, 10:02am

pablo · February 27, 2023, 10:04am

Hi @peter82,

I’ve reproduced your scenario and will report this as a bug to the Search Guard Dev team.

peter82 · February 27, 2023, 10:46am

@pablo perfect thanks, I will keep an eye on release notes.