Openid connect and kibana problems

we’re in the process of integrating our keycloak instance with searchguard.
We followed the documentation for the latest version, but kibana challenges with a login/password and responds with:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Authorization Required"
kbn-name: kibana
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 78
Date: Thu, 05 Mar 2020 12:01:13 GMT
Connection: keep-alive

We didn’t create a kibana user in keycloak : is that the problem ?

If Kibana challenges with a 401 and Basic Auth, this usually means that no authentication domain was able to authenticate the user properly. However, if OIDC is configured correctly and the user could not be authenticated, you should see a Kibana / Search Guard error page rather than the Basic Auth dialogue.

How does your sg_config.yml and kibana.yml look like?

In sg_config, you need two authentication domains:

  1. Basic Auth for the Kibana server user
  2. OIDC for “regular” Kibana users

You need 1) because for the Kibana server user Kibana only allows Basic authentication. This is a Kibana limitation that we can’t work around.

Can you post both sg_config.yml and kibana.yml? Also, if you see the Basic Auth popup, are there any corresponding messages in the ES logs?

I realised there was something wrong with my apache proxy, which I got rid of now I don’t need it anymore.
Openid works as expected now, thanks for trying to help a PBCAK !

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.