OpenID authorization OPTIONS request

MAXxATTAXx · January 16, 2020, 8:06pm

Versions:
Kibana - 6.7.1-18.3
Elasticsearch - 6.7.1-25.0

I’m facing issues in trying to integrate searchguard with an OIDC idP.
Login is successful but we are seeing the following:

Refresh token doesn’t seem to be used. Session length currently is only based on ID token expiration time.
When token expiration is reached Kibana redirect the users to the oauth login site but with a HTTP OPTIONS to the authorization_endpoint instead of a HTTP GET. On our idP that request is not supported.

Configuration files:

kibana.yml
elasticsearch.hosts: https://127.0.0.1:9200
elasticsearch.password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
elasticsearch.preserveHost: true
elasticsearch.requestHeadersWhitelist:
- sgtenant
- authorization
elasticsearch.requestTimeout: 90000
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
logging.dest: “/var/log/kibana/kibana.log”
searchguard.accountinfo.enabled: false
searchguard.auth.type: openid
searchguard.basicauth.enabled: false
searchguard.cookie.password: ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’
searchguard.cookie.secure: true
searchguard.cookie.ttl: 0
searchguard.multitenancy.enabled: false
searchguard.openid.base_redirect_url: https://kibana.local
searchguard.openid.client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
searchguard.openid.client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
searchguard.openid.connect_url: https://oauth.local/.well-known/openid-configuration
searchguard.openid.header: Authorization
searchguard.openid.scope: openid profile email address phone
searchguard.openid.verify_hostnames: false
server.host: 10.10.10.10
server.port: 5601
server.ssl.certificate: “/etc/kibana/kibanaserver.pem”
server.ssl.enabled: true
server.ssl.key: “/etc/kibana/kibanaserver.key”
server.ssl.keyPassphrase: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xpack.apm.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.monitoring.enabled: true
xpack.reporting.csv.maxSizeBytes: 10485760
xpack.reporting.enabled: true
xpack.reporting.encryptionKey: ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’
xpack.reporting.queue.timeout: 300000
xpack.security.enabled: false
xpack.spaces.enabled: true
xpack.xpack_main.telemetry.enabled: false

elasticsearch.yml
action.destructive_requires_name: false
cluster.name: elasticsearchcluster
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping.unicast.hosts:
- 10.10.10.10
- 10.10.10.10
- 10.10.10.10
http.compression: true
http.cors.allow-origin: “/.*/”
http.cors.enabled: true
http.port: 9200
indices.fielddata.cache.size: 15%
indices.memory.index_buffer_size: 30%
indices.memory.min_index_buffer_size: 96mb
network.host:
- 127.0.0.1
- 10.10.10.10
node.data: true
node.master: false
node.name: kibanaserver
searchguard.authcz.admin_dn:
- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
searchguard.cache.ttl_minutes: 2880
searchguard.enable_snapshot_restore_privilege: true
searchguard.enterprise_modules_enabled: true
searchguard.nodes_dn:
- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
searchguard.roles_mapping_resolution: MAPPING_ONLY
searchguard.ssl.http.enabled: true
searchguard.ssl.http.enabled_ciphers:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
searchguard.ssl.http.enabled_protocols:
- TLSv1.2
searchguard.ssl.http.pemcert_filepath: kibanaserver.pem
searchguard.ssl.http.pemkey_filepath: kibanaserver.key
searchguard.ssl.http.pemkey_password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enabled_ciphers:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
searchguard.ssl.transport.enabled_protocols:
- TLSv1.2
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.pemcert_filepath: kibanaserver.pem
searchguard.ssl.transport.pemkey_filepath: kibanaserver.key
searchguard.ssl.transport.pemkey_password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.resolve_hostname: false
thread_pool.write.queue_size: 5000
transport.tcp.port: 9300
xpack.ml.enabled: false
xpack.monitoring.collection.enabled: true
xpack.monitoring.enabled: true
xpack.monitoring.exporters.my_local.type: local
xpack.security.enabled: false
xpack.watcher.enabled: false

brian · January 22, 2020, 5:34pm

+1
We are experiencing this same problem.

hsaly · January 27, 2020, 1:02pm

Sergey_Bondarenko · February 4, 2020, 9:37pm

We need more information to help you.
Put the following lines into “elasticsearch/config/log4j2.properties” and paste the elasticsearch log here

logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace

Also, paste content of “sg_config.yml”.

PS
Please format all log and config in your post with backquotes to make it readable.

MAXxATTAXx · February 6, 2020, 11:32pm

We went through an upgrade process and this are our current versions:
Kibana - 6.8.6-19.0
Elasticsearch - 6.8.6-25.5
OpenID authentication backend - 6.8.6-34.5

I enabled level trace as you mentioned, but I don’t see anything on that level being logged.
The ID Token lifetime has been set to 1 minute to make ti easier to replicate.
At this timestamp: “2020-02-06T22:56:36Z” the webpage gets redirected to do authentication on the ODIP-URL but with an OPTIONS request.

“sg_config.yml” :

---
searchguard:
  dynamic:
    kibana:
      do_not_fail_on_forbidden: true
    license: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      openid_auth_f5:
        http_enabled: true
        transport_enabled: true
        order: 3
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_url: "https://xxxxxxxxxxxxxxxxxxxxxxxx/v1/.well-known/openid-configuration"
            subject_key: "email"
            roles_key: "kibana_roles"
            jwt_header: "authorization"
        authentication_backend:
          type: "noop"
    authz: null

logs:

==> /var/log/elasticsearch/es-01/elasticserver_sg.log <==
[2020-02-06T16:51:05,596][DEBUG][com.floragunn.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet] [elasticnode] performRefresh(oauth-jwt-rsa)
[2020-02-06T16:51:05,596][INFO ][com.floragunn.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet] [elasticnode] Performing refresh 1
[2020-02-06T16:51:06,096][INFO ][com.floragunn.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet] [elasticnode] KeySetProvider finished

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:49:09,698][INFO ][c.f.s.c.ComplianceConfig ] [elasticnode] Compliance features are enabled
[2020-02-06T16:49:09,699][INFO ][c.f.s.c.IndexBaseConfigurationRepository] [elasticnode] Search Guard License Info: SearchGuardLicense [uid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, type=FULL, features=[COMPLIANCE], issueDate=2019-06-16, expiryDate=2020-06-16, issuedTo=XXXXXXXXXXXXXXXXXXXX, issuer=floragunn GmbH, startDate=2019-06-17, majorVersion=6, clusterName=*, allowedNodeCount=32768, msgs=[], expiresInDays=131, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@72cd01f2, getMsgs()=[], getExpiresInDays()=131, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2020-02-06T16:49:09,699][INFO ][c.f.s.c.IndexBaseConfigurationRepository] [elasticnode] Search Guard License Type: FULL, valid
[2020-02-06T16:49:09,699][INFO ][c.f.s.c.IndexBaseConfigurationRepository] [elasticnode] Node 'elasticnode' initialized
[2020-02-06T16:51:05,510][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2020-02-06T16:51:06,188][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2020-02-06T16:51:06,199][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2020-02-06T16:51:09,549][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2020-02-06T16:51:09,791][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2020-02-06T16:51:09,895][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:54:38Z","tags":[],"pid":1040,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT Proxy-IP0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","connection":"keep-alive","upgrade-insecure-requests":"1","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP"},"res":{"statusCode":302,"responseTime":1,"contentLength":9},"message":"GET / 302 1ms - 9.0B"}
{"type":"response","@timestamp":"2020-02-06T22:54:38Z","tags":[],"pid":1040,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?nextUrl=%2F","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT Proxy-IP0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","connection":"keep-alive","upgrade-insecure-requests":"1","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP"},"res":{"statusCode":302,"responseTime":1,"contentLength":9},"message":"GET /auth/openid/login?nextUrl=%2F 302 1ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:54:59,979][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:54:59Z","tags":[],"pid":1040,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?code=94d83b7fe3e0afbfaf4305a1abe3c11d4b2100e438ea243f118b83c3b1b225b4&state=98zD3HRUi8AgPnYtFIJcjY","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT Proxy-IP0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://OIDP-URL/my.policy","connection":"keep-alive","upgrade-insecure-requests":"1","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://OIDP-URL/my.policy"},"res":{"statusCode":302,"responseTime":28,"contentLength":9},"message":"GET /auth/openid/login?code=94d83b7fe3e0afbfaf4305a1abe3c11d4b2100e438ea243f118b83c3b1b225b4&state=98zD3HRUi8AgPnYtFIJcjY 302 28ms - 9.0B"}
{"type":"response","@timestamp":"2020-02-06T22:55:00Z","tags":[],"pid":1040,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT Proxy-IP0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://OIDP-URL/my.policy","connection":"keep-alive","upgrade-insecure-requests":"1","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://OIDP-URL/my.policy"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET / 302 2ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:00,052][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2020-02-06T16:55:00,060][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:00Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/app/kibana","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT Proxy-IP0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://OIDP-URL/my.policy","connection":"keep-alive","upgrade-insecure-requests":"1","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://OIDP-URL/my.policy"},"res":{"statusCode":200,"responseTime":32,"contentLength":9},"message":"GET /app/kibana 200 32ms - 9.0B"}
{"type":"response","@timestamp":"2020-02-06T22:55:04Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_6_0","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"application/json, text/javascript, */*; q=0.01","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","kbn-version":"6.8.6","x-requested-with":"XMLHttpRequest","connection":"keep-alive","referer":"https://Kibana-URL/app/kibana","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":15,"contentLength":9},"message":"GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_6_0 200 15ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:04,809][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:04Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/v1/auth/authinfo","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","kbn-version":"6.8.6","connection":"keep-alive","referer":"https://Kibana-URL/app/kibana","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":14,"contentLength":9},"message":"GET /api/v1/auth/authinfo 200 14ms - 9.0B"}
{"type":"response","@timestamp":"2020-02-06T22:55:04Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/xpack/v1/info","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","kbn-version":"6.8.6","connection":"keep-alive","referer":"https://Kibana-URL/app/kibana","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /api/xpack/v1/info 200 3ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:04,955][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:04Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&fields=title&search=*&search_fields=title&per_page=1&page=1","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://Kibana-URL/app/kibana","content-type":"application/json","kbn-version":"6.8.6","connection":"keep-alive","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":15,"contentLength":9},"message":"GET /api/saved_objects/_find?type=index-pattern&fields=title&search=*&search_fields=title&per_page=1&page=1 200 15ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:05,145][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:05Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/v1/restapiinfo","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","kbn-version":"6.8.6","connection":"keep-alive","referer":"https://Kibana-URL/app/kibana","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":14,"contentLength":9},"message":"GET /api/v1/restapiinfo 200 14ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:06,587][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:06Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&per_page=10000&page=1","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://Kibana-URL/app/kibana","content-type":"application/json","kbn-version":"6.8.6","connection":"keep-alive","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":26,"contentLength":9},"message":"GET /api/saved_objects/_find?type=index-pattern&per_page=10000&page=1 200 26ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:06,682][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:06Z","tags":[],"pid":1040,"method":"get","statusCode":200,"req":{"url":"/api/saved_objects/_find?type=index-pattern&fields=title&per_page=10000&page=1","method":"get","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://Kibana-URL/app/kibana","content-type":"application/json","kbn-version":"6.8.6","connection":"keep-alive","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":18,"contentLength":9},"message":"GET /api/saved_objects/_find?type=index-pattern&fields=title&per_page=10000&page=1 200 18ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:06,831][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:06Z","tags":[],"pid":1040,"method":"post","statusCode":200,"req":{"url":"/api/saved_objects/_bulk_get","method":"post","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://Kibana-URL/app/kibana","content-type":"application/json","kbn-version":"6.8.6","origin":"https://Kibana-URL","content-length":"70","connection":"keep-alive","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":18,"contentLength":9},"message":"POST /api/saved_objects/_bulk_get 200 18ms - 9.0B"}

==> /var/log/elasticsearch/es-01/elasticserver.log <==
[2020-02-06T16:55:07,738][WARN ][c.f.s.h.HTTPBasicAuthenticator] [elasticnode] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

==> /var/log/kibana/kibana.log <==
{"type":"response","@timestamp":"2020-02-06T22:55:07Z","tags":[],"pid":1040,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true","method":"post","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","content-type":"application/x-ndjson","kbn-version":"6.8.6","content-length":"756","origin":"https://Kibana-URL","connection":"keep-alive","referer":"https://Kibana-URL/app/kibana","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":200,"responseTime":168,"contentLength":9},"message":"POST /elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true 200 168ms - 9.0B"}
{"type":"response","@timestamp":"2020-02-06T22:56:36Z","tags":[],"pid":1040,"method":"post","statusCode":302,"req":{"url":"/elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true","method":"post","headers":{"host":"Kibana-URL","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","content-type":"application/x-ndjson","kbn-version":"6.8.6","content-length":"756","origin":"https://Kibana-URL","connection":"keep-alive","referer":"https://Kibana-URL/app/kibana","x-forwarded-for":"Client-IP"},"remoteAddress":"Proxy-IP","userAgent":"Proxy-IP","referer":"https://Kibana-URL/app/kibana"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"POST /elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true 302 3ms - 9.0B"}

thanks

Mike · February 10, 2020, 8:38pm

Hi there,

I think what happens here is that the auth call to the IdP is stopped because of missing CORS headers from the IdP. (https://developer.okta.com/docs/guides/enable-cors/overview/)

However, we should not have an AJAX-Request at that point, so I think something goes wrong in the previous request: “/_msearch?rest…”. This should really return a 401 instead of a 302, which would lead to this little “redirect dance”:

Would it be possible for you to check the request headers in the first request that returns a 302 ("/_msearch…")? It would be interesting to see what the accept and content-type headers contain.
At least one of them should have application/json as value.

Thanks
Mike

MAXxATTAXx · February 11, 2020, 9:51pm

@Mike Thanks for pointing out CORS.
So the OPTIONS preflight request is being triggered quite probably because there is a none default header on the redirect. Take a look at the headers on the OPTIONS request being sent:

CLIENT-IP|+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CLIENT-IP|OPTIONS /f5-oauth2/v1/authorize
CLIENT-IP|Host: OIDP-URL
CLIENT-IP|Connection: keep-alive
CLIENT-IP|Accept: */*
CLIENT-IP|Access-Control-Request-Method: GET
CLIENT-IP|Access-Control-Request-Headers: content-type,kbn-version
CLIENT-IP|Origin: https://Kibana-URL
CLIENT-IP|Sec-Fetch-Mode: cors
CLIENT-IP|Sec-Fetch-Site: same-site
CLIENT-IP|Referer: https://Kibana-URL/app/kibana
CLIENT-IP|User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
CLIENT-IP|Accept-Encoding: gzip, deflate, br
CLIENT-IP|Accept-Language: en-US,en;q=0.9,es;q=0.8
CLIENT-IP|X-Forwarded-For: CLIENT-IP
CLIENT-IP|+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CLIENT-IP|+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CLIENT-IP|GET /f5-oauth2/v1/authorize
CLIENT-IP|Host: OIDP-URL
CLIENT-IP|Connection: keep-alive
CLIENT-IP|Accept: application/json, text/plain, */*
CLIENT-IP|DNT: 1
CLIENT-IP|kbn-version: 6.8.6
CLIENT-IP|User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
CLIENT-IP|content-type: application/x-ndjson
CLIENT-IP|Origin: https://Kibana-URL
CLIENT-IP|Sec-Fetch-Site: same-site
CLIENT-IP|Sec-Fetch-Mode: cors
CLIENT-IP|Referer: https://Kibana-URL/app/kibana
CLIENT-IP|Accept-Encoding: gzip, deflate, br
CLIENT-IP|Accept-Language: en-US,en;q=0.9,es;q=0.8
CLIENT-IP|X-Forwarded-For: CLIENT-IP
CLIENT-IP|+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The header kbn-version make it so the request is not considered as a Simple Request.

I have created a ticket with our idP support to allow CORS preflight request, but I’m not sure if this check should be done at all.

I’m still not seeing Kibana using the UserInfo endpoint once the initial ID token is expired, or extending access by using the Refresh token. Right now Kibana session is restrictred by ID Token expiration.

Thanks

Mike · February 12, 2020, 6:57pm

@MAXxATTAXx I really think the problem is with the request before that OPTIONS request.
Out of curiosity, what happens if you do a full page reload after seeing that error?
Are you redirected to the IdP?

MAXxATTAXx · February 13, 2020, 8:40pm

@Mike So the first request that gets a 302 has the following headers:

The accept header has the application/json value.
If I do a full page reload I do get redirected to the idP.