I believe SG has a bug in its OpenID Connect implementation. Tested on ES 7.10.2, SG 7.10.2-48.0.0.
I noticed that after switching to OIDC for authentication and authorization I’d constantly see forced page refreshes and session expirations in Kibana. After some investigation I increased the access token lifespan to 10 minutes in our OIDC provider (Keycloak) and the issue disappeared, confirming my suspicious.
Access tokens are usually short lived (1 minute is the default in Keycloak), and Kibana + SG is the only application where I have ever seen this behavior.
I’d also like to report another potential bug related to OIDC. I’ve been frequently using environment variables in SG and ES/Kibana configuration files. In the file you can see below I added ${OIDC_SECRET} and ${OIDC_CLIENT}. The environment variables are definitively in the container, I manually inspected the container environment and could find both of these variables set, alongside the other two. However, Kibana would not resolve these variables but use them as string “${OIDC_CLIENT}” being the client name. The mechanism by which I set these variables is exactly the same as for the others.
Is it possible that SG doesn’t use env variables for these specific keys? Any suggestion would be appreciated.
At the moment, we are working on a completely new implementation for logging into Kibana. Among other problems, this should also fix the refresh problems you are observing. You can track the issue here:
Regarding the env vars: This was indeed a bug in the Kibana plugin. The 49.1 or 50 Search Guard Kibana plugin fixes this: