Hi,
I’ve set up everything according to this tutorial: Kibana Single Sign-On with OpenID and Keycloak | Search Guard and the authentication and authorization works, however in the logs I have these warnings each time someone logs in:
No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
My sg_config.yml:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: https://keycloak.url/auth/realms/prod/.well-known/openid-configuration
subject_key: preferred_username
roles_key: group
authentication_backend:
type: noop
I have also set:
logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace
But no additional information in the logs.
You have any idea how I can rid of these warnings?
My current assumption is:
because basic auth is set to order 0, every user who is authenticating using keycloak, produce this log line:
No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
Because search guard tries to use basic auth first.
When I put basic auth at oder 1 and oidc to order 0 I have warnings spamming probably produces by logstash internal user, who is trying to connect. Since the oidc is now set to order 0 I have warnings spamming:
WARNING: Compact JWS does not have 3 parts
It looks like the basic auth is taken for oidc connection even though it should not be taken for that.
Yes, you are correct. I think the log levels are not really ideal for this combination and we should lower them. If you have two auth domains and someone logs in, then (depending on the order of the modules), this will always create a log message.
There are two workarounds: You can either change the log level in log4j.properties. However, if you are using the basic auth domain only for system users like logstash or the Kibana server user, the better approach is probably to use set the openid domain first, and then use the “skip_users” feature to exclude those system users from the openid auth domain:
If you have a fixed list of users that should only be authenticated by Basic Auth, but not openid, this should work.
1 Like
Thank you. I defined skip_users and got rid of the spamming warning messages.
I thought it was working but it looks like I have miss something.
I have still spamming
WARNING: Compact JWS does not have 3 parts
even though in sg_config.yml I have defined to skip the users as follows:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: https://keycloak.url/auth/realms/prod/.well-known/openid-configuration
subject_key: preferred_username
roles_key: group
skip_users:
- kibanaro
- kibanaserver
- logstash
- adminp
- admin
- filebeat_internal
- kibanauser
I assume that I did it wrong. How can I prevent internal users, which use basic auth from trying to use openid login?
Almost there 
The “skip_users” entry is part of the config, so it has to be placed inside the “config” section, i.e on the same level as openid_connect_url for example
Hm still no sucess with following configuraiton 
I am also not sure how it should work since how the openid_auth_domain configuration should know that the user who is trying to use openid_auth_domain is for example “logstash”?
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: https://lkeycloak.url/auth/realms/prod/.well-known/openid-configuration
subject_key: preferred_username
roles_key: group
skip_users:
- kibanaro
- kibanaserver
- logstash
- adminp
- admin
- kibanauser
- kibana
- readall
- snapshotrestore
authentication_backend:
type: noop