OpenID Connect access token lifespan bug

sascha.herzinger · May 27, 2021, 7:00am

Hi,

I believe SG has a bug in its OpenID Connect implementation. Tested on ES 7.10.2, SG 7.10.2-48.0.0.

I noticed that after switching to OIDC for authentication and authorization I’d constantly see forced page refreshes and session expirations in Kibana. After some investigation I increased the access token lifespan to 10 minutes in our OIDC provider (Keycloak) and the issue disappeared, confirming my suspicious.

Access tokens are usually short lived (1 minute is the default in Keycloak), and Kibana + SG is the only application where I have ever seen this behavior.

Kind regards,
Sascha

sascha.herzinger · May 27, 2021, 7:10am

I’d also like to report another potential bug related to OIDC. I’ve been frequently using environment variables in SG and ES/Kibana configuration files. In the file you can see below I added ${OIDC_SECRET} and ${OIDC_CLIENT}. The environment variables are definitively in the container, I manually inspected the container environment and could find both of these variables set, alongside the other two. However, Kibana would not resolve these variables but use them as string “${OIDC_CLIENT}” being the client name. The mechanism by which I set these variables is exactly the same as for the others.

Is it possible that SG doesn’t use env variables for these specific keys? Any suggestion would be appreciated.

server:
  port: 5601
  host: 0.0.0.0
  name: jarvis.lcsb.uni.lu
  ssl:
    enabled: false

elasticsearch:
  hosts: https://es01:9200
  ssl.verificationMode: none # not needed because we only access localhost
  username: kibanaserver
  password: ${KIBANASERVER_PASS}
  requestHeadersWhitelist: ['Authorization', 'sgtenant']
  requestTimeout: 120000

xpack.security.enabled: false
xpack.encryptedSavedObjects.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
searchguard:
  auth.type: openid
  openid:
    connect_url: https://keycloak.lcsb.uni.lu/auth/realms/master/.well-known/openid-configuration
    base_redirect_url: https://jarvis.lcsb.uni.lu
    client_id: ${OIDC_CLIENT}
    client_secret: ${OIDC_SECRET}

nils · May 27, 2021, 7:29am

Hello Sascha,

At the moment, we are working on a completely new implementation for logging into Kibana. Among other problems, this should also fix the refresh problems you are observing. You can track the issue here:

Regarding the env vars: This was indeed a bug in the Kibana plugin. The 49.1 or 50 Search Guard Kibana plugin fixes this:

sascha.herzinger · May 27, 2021, 7:32am

Awesome, thank you for the quick response!

system · June 17, 2021, 7:32am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configure session timeout and lifespan (openid with kibana) Search Guard	2	713	September 2, 2021
Openid connect and kibana problems Search Guard	3	663	April 1, 2020
OpenID authorization OPTIONS request Search Guard	9	2212	March 5, 2020
Help needed with access token to role mapping Search Guard	3	654	April 21, 2020
Authentication finally failed for null from $ip_address Search Guard	8	2632	August 12, 2021

OpenID Connect access token lifespan bug

Related Topics