Searchguard Open ID autherror using Keycloak

Hi,

I always get the auth error please provide a new token while embedding kibana link in iframe.
I am using kibana and elasticsearch version 7.2.

My Elasticsearch log:
{“type”: “server”, “timestamp”: “2020-01-31T10:04:31,997+0000”, “level”: “WARN”, “component”: “c.f.s.a.BackendRegistry”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “uuXopN_vTJuQrzLc-iCuYA”, “node.id”: “vBn-sqx3S1qAm1IJksPPJQ”, “message”: “Authentication finally failed for null from 127.0.0.1:55474” }
elasticsearch_1 | {“type”: “server”, “timestamp”: “2020-01-31T10:04:32,001+0000”, “level”: “WARN”, “component”: “c.f.s.a.BackendRegistry”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “uuXopN_vTJuQrzLc-iCuYA”, “node.id”: “vBn-sqx3S1qAm1IJksPPJQ”, “message”: “Authentication finally failed for null from 127.0.0.1:55474” }

My sg_config.yml configuration file

_sg_meta:
type: “config”
config_version: 2
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: “192\.168\.0\.10|192\.168\.0\.11”
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “intern”
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: “openid”
challenge: false
config:
openid_connect_url: “http://XXXXXXXXXX:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration
subject_key: preferred_username
roles_key: roles
authentication_backend:
type: “noop”
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “localhost:8389”
bind_dn: null
password: null
rolebase: “ou=groups,dc=example,dc=com”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “ou=people,dc=example,dc=com”
usersearch: “(uid={0})”
roles_from_another_ldap:
description: “Authorize via another Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”

My kibana.yml is:

server.port: 53711
server.host: “0.0.0.0”
elasticsearch.hosts: [“http://localhost:53710/”]
kibana.index: “.aiq”
xpack.security.enabled: false
elasticsearch.username: admin
elasticsearch.password: AiqWc123#
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: “/pemfiles/root-ca.pem”
csp.rules:

  • “script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’”
    console.proxyConfig:
    • ssl.verify: false
      csp.warnLegacyBrowsers: false
      searchguard.auth.type: “openid”
      searchguard.openid.connect_url: “http://XXXXX:8090/auth/realms/YYYYYY_realm/.well-known/openid-configuration
      searchguard.openid.client_id: “yyyyyy_client”
      searchguard.openid.client_secret: “3fc5417a-3457-46d5-b2a4-eeff34168b4e”
      searchguard.openid.base_redirect_url: “http://XXXXXXXXXXXX:53711
      elasticsearch.requestHeadersWhitelist: [“Authorization”, “sgtenant”, “jwtheader”, “Basic Authorization”, “WWW-Authenticate Basic”, “x-forwarded-for”, “x-forwarded-by”, “x-proxy-user”, “x-proxy-roles”]

I am stuck here , It is always redirecting to /customerror?type=authError endpoint instead of app/kibana in kibana.
It would be more helpful, if anyone help me on this.

Thanks,
Ranjith

This error can be caused either by improper configuration or wrong cookies in your browser. Please check this troubleshooting guide and let me know https://docs.search-guard.com/latest/troubleshooting-openid#openid-troubleshooting

If the guide doesn’t help put the following lines into “elasticsearch/config/log4j2.properties” and paste the elasticsearch log here

logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace

PS
Please format all log and config in you post with backquotes to make it readable.

Hi Sergey,

By adding the following lines in log4j property file, I could not find more information in elastic search logs.

logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace

It is redirecting from Kibana to Keycloak correctly. But for the first time token is not setting and I get the Please Provide a new token screen from the /customerror?type=authError url
.
At that time my log is

elasticsearch_1 | {“type”: “server”, “timestamp”: “2020-02-24T10:43:01,113+0000”, “level”: “ERROR”, “component”: “c.f.d.a.h.j.HTTPJwtAuthenticator”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “2t9vtZ5HRG-NDiIQUE9zSA”, “node.id”: “OpUxr35iTI2QzOB1FgZ-KA”, “message”: “Missing Signing Key. JWT authentication will not work” }
elasticsearch_1 | {“type”: “server”, “timestamp”: “2020-02-24T10:43:01,113+0000”, “level”: “WARN”, “component”: “c.f.s.a.BackendRegistry”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “2t9vtZ5HRG-NDiIQUE9zSA”, “node.id”: “OpUxr35iTI2QzOB1FgZ-KA”, “message”: “Authentication finally failed for null from 127.0.0.1:49414” }

So where is my configuration improper either in kibana or elasticsearch?

It would be more helpful for me if i get more details from you for troubleshooting this.
I am using keycloak of version 4.4.0. Will that be a problem of this issue.

Note: With this same setup and configuration I have implemented in version 6.3.2 , it works fine there.

I don’t see the JWT configuration in your sg_config.yml. Find a configuration example below.

elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml

...
jwt_auth_domain:
  enabled: true
  order: 0
  http_authenticator:
    type: jwt
    challenge: false
    config:
      signing_key: "base64 encoded key"
      jwt_header: "Authorization"
      jwt_url_parameter: null
      subject_key: null
      roles_key: null
  authentication_backend:
    type: noop

Make sure you have only one authc provider with order: 0. Read the documentation to find more https://docs.search-guard.com/latest/json-web-tokens#asymmetric-key-algorithms-rsa-and-ecdsa

Also, double-check your signing_key value. First, you should have it. Second, make sure the value is one line. Breaking it into newlines add whitespaces in the key, making it incorrect.

elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml

jwt_auth_domain:
 ...
    config:
      signing_key: "base64 encoded key"

Hi Sergey,

But I have to connect to keycloak through openid protocol. I see documentation for that only.

Can we connect to keycloak through JWT, if yes can i get that documentation link.

My log when I use only openID in sg_config.yml is

[WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [Atomiq] Compact JWS does not have 3 parts

Also inside iframe there is no token being setted. Always I am receiving Please Provide a new token, is there anyway to fix this.

Thanks,
Ranjith

My bad, I saw Missing Signing Key. JWT authentication will not work error in your log and assumed you are struggling to configure JWT authentication.

It seems your config is wrong somewhere. Did you check all the recommendations for troubleshooting “Please provide new token” error?

I noticed you have SSL disabled but verify_hostnames: true. Make it verify_hostnames: false. Give me your elasticsearch.yml. And format kibana.yml and sg_config.yml you posted, it is very hard to read the config without any indentation.

Also, check this OpenID setup article https://search-guard.com/kibana-openid-keycloak/

Hi Sergey,

I need both openid and JWT authentication to be implemented.

elastic.yml

      node.name: Atomiq
network.host: 0.0.0.0
http.port: 53710
discovery.seed_hosts: ["0.0.0.0"]
cluster.initial_master_nodes: ["Atomiq"]
script.painless.regex.enabled: true

transport.port: 53720-53820
xpack.security.enabled: false

http.cors.enabled: true
http.cors.allow-origin: '*'
#http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: "X-Requested-With,X-Auth-Token,Content-Type,Content-Length, Authorization, sg_tenant"
http.cors.allow-credentials: true

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test,C=de
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS","SGS_OWN_INDEX"]

kibana.yml

  server.port: 53711

server.host: "0.0.0.0"

elasticsearch.hosts: ["http://localhost:53710/"]

kibana.index: ".aiq"

xpack.security.enabled: false

elasticsearch.username: admin
elasticsearch.password: AiqWc123#
#searchguard.auth.type: "basicauth"
#searchguard.auth.anonymous_auth_enabled: true
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: "/pemfiles/root-ca.pem"
console.proxyConfig:
    - ssl.verify: false
#csp.strict: true
csp.rules:
  - "script-src 'self' 'unsafe-eval' 'unsafe-inline'"
csp.warnLegacyBrowsers: false
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "http://aiq-VirtualBox:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration"
searchguard.openid.client_id: "wilburcurtis_client"
searchguard.openid.client_secret: "069ff13c-0d39-4789-8494-636c0a202c55"
searchguard.openid.base_redirect_url: "http://aiq-VirtualBox:53711"
searchguard.openid.header: "Authorization"
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]

[sg_config.yml

 ---
_sg_meta:
  type: "config"
  config_version: 2
sg_config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_url: "http://aiq-virtualbox:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration"
            subject_key: "preferred_username"
            roles_key: "roles"
        authentication_backend:
          type: "noop"
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 2
        http_authenticator:
          type: "jwt"
          challenge: false
          config:
            signing_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvzs2vxBl8otEv0K2DHPrX5fO1qM3TEJXh0lCsJ883McVlIli5glCdLyz0gNcPTV3ycHlAgGSMgFNeIiDl+ioGkOyXsOPJKKn3jPZq8KypfWzX/ybFC8+lsWFHKyF9721Va3TlyRZg6Xs44rqRzJfmjYAZrK4pLmlBuVN+JaHnfDfA7LoMuAY4gbbI3uyCcQUvZCwTEF8ec32jp7LpnjWHZTtO6mSe2qPhdlO2IlDTkFXJCtq0YPpsQl4uvF0kHCxcQJqbb4gH0o79NwmgeYy/2J9cytGOg9oJOYueAuadjC+IFmKBNK0GJ4I0v3dGWcjgEHHlv7nS5565TNNVh6/zQIDAQAB"
            jwt_url_parameter: null
            roles_key: "roles"
            subject_key: "preferred_username"
        authentication_backend:
          type: "noop"

For the above configuaration, I am getting log as follows.

  ][WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [Atomiq] Compact JWS does not have 3 parts
    elasticsearch_1  | [2020-02-25T20:07:50,395][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] [Atomiq] No JWT token found in 'Authorization' header header
    elasticsearch_1  | [2020-02-25T20:07:50,396][WARN ][c.f.s.a.BackendRegistry  ] [Atomiq] Authentication finally failed for null from 127.0.0.1:38100
    elasticsearch_1  | [2020-02-25T20:07:50,401][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] [Atomiq] No JWT token found in 'Authorization' header header
    elasticsearch_1  | [2020-02-25T20:07:50,401][WARN ][c.f.s.a.BackendRegistry  ] [Atomiq] Authentication finally failed for null from 127.0.0.1:38100
    elasticsearch_1  | [2020-02-25T20:07:50,597][WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [Atomiq] Compact JWS does not have 3 parts

Thanks,
Ranjith

Hi Sergey,

My configuration for openId with searchguard and keycloak is working in Browser level, But when I try to share my kibana link in a iframe application i am getting Authentication failed Please Provide a new token.

Token is not being set inside iframe application, So I am getting Authentication failure whereas token (searchguard_authentication and searchguard_cookie) is set in browser.

Please suggest on how to proceed.

Thanks,
Ranjith

The anonymous authentication can be a solution. Configuration:

sg_config.yml

_sg_meta:
  type: "config"
  config_version: 2

sg_config:
  dynamic:
    ...
    http:
      anonymous_auth_enabled: true

sg_roles_mapping.yml

sg_anonymous:
  backend_roles:
    - sg_anonymous_backendrole

sg_roles.yml

sg_anonymous:
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  index_permissions:
    - index_patterns:
      - "public-*"
      allowed_actions:
        - READ

ATTENTION! Make sure sg_anonymous user doesn’t have access to the sensitive data.

You can enable it and map the anonymous user to a Search Guard role with access ONLY to the Dashboard data you want to show via iframe. The unauthenticated requests are assigned to the anonymous user and the corresponding role automatically.

The documentation:


I see you access Kibana via HTTP, try to set the following in your kibana.yml

searchguard.cookie.secure: false

Hi Sergey,

I have configured anonymous user so my Authentication finally failed for null in logs is fixed.

But I still getting Authentication failure inside iframe. When I ran my logs in debug mode and open kibana in browser i am redirected to keycloak realm then after entering the credentials in the realm, I got the following logs in elasticsearch:

[DEBUG][c.f.d.a.h.j.k.SelfRefreshingKeySet] [Atomiq] performRefresh(GNqdUa7K8bIAdxarlsJdJoHKfw8KbrPv0fhj4xr0DSU)
elasticsearch_1  | [2020-02-28T10:32:57,237][INFO ][c.f.d.a.h.j.k.SelfRefreshingKeySet] [Atomiq] Performing refresh 1
elasticsearch_1  | [2020-02-28T10:32:57,474][INFO ][c.f.d.a.h.j.k.SelfRefreshingKeySet] [Atomiq] KeySetProvider finished.

This logs are not being printed when I use kibana link from iframe. I think if kid is not being setted inside iframe.

Please suggest on this how to proceed.

Thanks,
Ranjith

Hi Sergey,

Can you please help me with your mail id? or you can mail to ‘ranjirajeshwari94@gmail.com’

Thanks,
Ranjith

What version of the browser do you have? Maybe you have the new SameSite restrictions enabled and that’s why you can’t authenticate? Update your web browser to be sure. They all rolled back the new SameSite settings due to COVID, for example, Chrome official statement.