Kibana 7.17.7 & openid 'redirect_uri' parameter is not a valid

Elasticsearch version:
7.17.7 , same as kibana, FLX 1.1.0

according documentation we should use server.publicBaseUrl instead of searchguard.frontend_base_url but it doesnt work.
Kibana OIDC Quick Start | Security for Elasticsearch | Search Guard (search-guard.com)

Error details: MSIS9224: Received invalid OAuth authorization request. The received 'redirect_uri' parameter is not a valid registered redirect URI for the client identifier: 'urn:apps:kibana:env-project'. Received redirect_uri: 'https://kibana.cz/env-projectauth/openid/login'.

there is a forward slash missing after basePath env-project !!

THIS WORKS:

server.publicBaseUrl: "https://kibana.cz/env-project"
server.basePath: /env-project
searchguard.frontend_base_url: "https://kibana.cz/env-project/"

THIS DOESN’T:

server.publicBaseUrl: "https://kibana.cz/env-project"
server.basePath: /env-project

@peter82 As per Search Guard documentation the searchguard.frontend_base_url was designed for the Kibana version older than 7.11.
Elastic has introduced a new parameter in 7.11 called server.publicBaseUrl and that can be used instead.

I’ve noticed that in your example the error states:

Received redirect_uri: 'https://kibana.cz/env-projectauth/openid/login

That would match:

server.publicBaseUrl: "https://kibana.cz/env-project"

Your first example worked as “searchguard.frontend_base_url:” had “/” at the end of the URL.
Try the below solution.

server.publicBaseUrl: "https://kibana.cz/env-project/"
server.basePath: /env-project

Hi Pablo, yes I have already tried all that before posting…

You cannot use forward slash in server.publicBaseUrl becase it has to match exactly server.basePath. And server.basePath has to start with forward slash but cannot end with one. So dead end.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Hi @peter82,

I’ve reproduced your scenario and will report this as a bug to the Search Guard Dev team.

@pablo perfect thanks, I will keep an eye on release notes.