Openid connect and reverse proxy

Hi, we try to configure SSO for kibana, we use Microsoft ADFS and openid. We also use an apache reverse proxy for our kibana and we have the kibana server.basePath parameter set.
When we configure openid for kibana sso login process stops at URL https://ourdomain/ourbasepath/auth/openid/encode?nextUrl=%2Fourbasepath%2F

source code of encode is

          <html>
            <head>
            <script src="/auth/openid/encode-js"></script>
            </head>
            <body></body>
          </html>

As you can see the basepath is missing in src of encode-js script, script isn’t loaded and the login process stops here.

We found the source javascript of this URL in routes.js and it seems like the base path is not used in

httpResources.register({
  path: `${_constants.APP_ROOT}${routesPath}encode-js`,

When we use LDAP or SAML everything works well. But we need to configure openid.
Can you please check the whole login process for openid when a reverse proxy is used?
And make a fixed version or let us know how to fix this behavior?

Elasticsearch version:
7.15.

Server OS version:
RHEL 7

Kibana version (if relevant):
7.15.1 and 7.10.2 we try both

Describe the issue:
Login process stops at URL: https://ourdomain/ourbasepath/auth/openid/encode?nextUrl=%2Fourbasepath%2F

Steps to reproduce:

  1. configure apache reverse proxy server for kibana
  2. configure kibana with server.basePath parameter
  3. configure openid sso in kibana
  4. try to login

Expected behavior:
The login process will work.

Hello @zdenek

Would you mind sharing your kibana.yml and sg_config.yml files?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

@zdenek Thanks for providing the files.

I’ve found that in my case I had to set the below in kibana.yml to get it working with keycloak OpenID.

server.basePath: "/basePath"
searchguard.openid.base_redirect_url: "https://<haproxy_FQDN>"

In keycloak my redirect is set to “https://<haproxy_FQDN>/basePath”

In haproxy.cfg I have the below.

backend kibana1 
    option httpchk GET /api/status HTTP/1.1\r\nHost:localhost
    reqrep ^([^\ :]*)\ /kibana1(\/*)(.*) \1\ /\3
    rsprep ^[Cc]ache-[Cc]ontrol:\ no-cache Cache-Control:\ max-age=84600 if { capture.req.uri -m beg /kibana1/ui/ /kibana1/plugins/ /kibana1/bundles/ }
    server kibana1 <FQDN_of_destination_kibana>:5601 check ssl verify none

In your case basePath is present in both server.basePath and searchguard.openid.base_redirect_url:

@pablo
Hi,
we try to configure searchguard.openid.base_redirect_url: "https://kibana.csint.cz/notix" and also `searchguard.openid.base_redirect_url: “https://kibana.csint.cz” but behavior is still same.
Authentication process stops at URL https://kibana.csint.cz/notix/auth/openid/encode?nextUrl=%2Fnotix%2F because try to load the script at URL “https://kibana.csint.cz/auth/openid/encode-js” and the script doesn’t exist.
I make a screenshot from my browser.
Can you tell us what we can try?

We have just released a new version of Search Guard which fixes the issue: