OpenID Connect access token lifespan bug


I believe SG has a bug in its OpenID Connect implementation. Tested on ES 7.10.2, SG 7.10.2-48.0.0.

I noticed that after switching to OIDC for authentication and authorization I’d constantly see forced page refreshes and session expirations in Kibana. After some investigation I increased the access token lifespan to 10 minutes in our OIDC provider (Keycloak) and the issue disappeared, confirming my suspicious.

Access tokens are usually short lived (1 minute is the default in Keycloak), and Kibana + SG is the only application where I have ever seen this behavior.

Kind regards,

I’d also like to report another potential bug related to OIDC. I’ve been frequently using environment variables in SG and ES/Kibana configuration files. In the file you can see below I added ${OIDC_SECRET} and ${OIDC_CLIENT}. The environment variables are definitively in the container, I manually inspected the container environment and could find both of these variables set, alongside the other two. However, Kibana would not resolve these variables but use them as string “${OIDC_CLIENT}” being the client name. The mechanism by which I set these variables is exactly the same as for the others.

Is it possible that SG doesn’t use env variables for these specific keys? Any suggestion would be appreciated.

  port: 5601
    enabled: false

  hosts: https://es01:9200
  ssl.verificationMode: none # not needed because we only access localhost
  username: kibanaserver
  password: ${KIBANASERVER_PASS}
  requestHeadersWhitelist: ['Authorization', 'sgtenant']
  requestTimeout: 120000 false
xpack.encryptedSavedObjects.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
  auth.type: openid
    client_id: ${OIDC_CLIENT}
    client_secret: ${OIDC_SECRET}

Hello Sascha,

At the moment, we are working on a completely new implementation for logging into Kibana. Among other problems, this should also fix the refresh problems you are observing. You can track the issue here:

Regarding the env vars: This was indeed a bug in the Kibana plugin. The 49.1 or 50 Search Guard Kibana plugin fixes this:

1 Like

Awesome, thank you for the quick response!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.