No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic' while using openid and basic auth domain

Hi,

I’ve set up everything according to this tutorial: https://search-guard.com/kibana-openid-keycloak/ and the authentication and authorization works, however in the logs I have these warnings each time someone logs in:

No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

My sg_config.yml:

    basic_internal_auth_domain: 
      description: "Authenticate via HTTP Basic against internal users database"
      http_enabled: true
      transport_enabled: true
      order: 0
      http_authenticator:
        type: basic
        challenge: false
      authentication_backend:
        type: intern
    openid_auth_domain:
      http_enabled: true
      order: 1
      http_authenticator:
        type: openid
        challenge: false
        config:
          openid_connect_url: https://keycloak.url/auth/realms/prod/.well-known/openid-configuration
          subject_key: preferred_username
          roles_key: group
      authentication_backend:
        type: noop  

I have also set:

logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace

But no additional information in the logs.

You have any idea how I can rid of these warnings?

My current assumption is:

because basic auth is set to order 0, every user who is authenticating using keycloak, produce this log line:

No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

Because search guard tries to use basic auth first.

When I put basic auth at oder 1 and oidc to order 0 I have warnings spamming probably produces by logstash internal user, who is trying to connect. Since the oidc is now set to order 0 I have warnings spamming:

WARNING: Compact JWS does not have 3 parts

It looks like the basic auth is taken for oidc connection even though it should not be taken for that.

Yes, you are correct. I think the log levels are not really ideal for this combination and we should lower them. If you have two auth domains and someone logs in, then (depending on the order of the modules), this will always create a log message.

There are two workarounds: You can either change the log level in log4j.properties. However, if you are using the basic auth domain only for system users like logstash or the Kibana server user, the better approach is probably to use set the openid domain first, and then use the “skip_users” feature to exclude those system users from the openid auth domain:

If you have a fixed list of users that should only be authenticated by Basic Auth, but not openid, this should work.

1 Like

Thank you. I defined skip_users and got rid of the spamming warning messages.

I thought it was working but it looks like I have miss something.

I have still spamming

WARNING: Compact JWS does not have 3 parts

even though in sg_config.yml I have defined to skip the users as follows:

    openid_auth_domain:
      http_enabled: true
      transport_enabled: true
      order: 0
      http_authenticator:
        type: openid
        challenge: false
        config:
          openid_connect_url: https://keycloak.url/auth/realms/prod/.well-known/openid-configuration
          subject_key: preferred_username
          roles_key: group
      skip_users:
        - kibanaro
        - kibanaserver
        - logstash
        - adminp
        - admin
        - filebeat_internal
        - kibanauser

I assume that I did it wrong. How can I prevent internal users, which use basic auth from trying to use openid login?

Almost there :wink: The “skip_users” entry is part of the config, so it has to be placed inside the “config” section, i.e on the same level as openid_connect_url for example

Hm still no sucess with following configuraiton :frowning: I am also not sure how it should work since how the openid_auth_domain configuration should know that the user who is trying to use openid_auth_domain is for example “logstash”?

openid_auth_domain:
  http_enabled: true
  transport_enabled: true
  order: 0
  http_authenticator:
    type: openid
    challenge: false
    config:
      openid_connect_url: https://lkeycloak.url/auth/realms/prod/.well-known/openid-configuration
      subject_key: preferred_username
      roles_key: group
      skip_users:
        - kibanaro
        - kibanaserver
        - logstash
        - adminp
        - admin
        - kibanauser
        - kibana
        - readall
        - snapshotrestore 
  authentication_backend:
    type: noop

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.