Hi,
I always get the auth error please provide a new token while embedding kibana link in iframe.
My Elasticsearch log:
My sg_config.yml configuration file
_sg_meta:http://XXXXXXXXXX:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration ”
My kibana.yml is:
server.port: 53711http://localhost:53710/ ”]
“script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’”
ssl.verify: falsehttp://XXXXX:8090/auth/realms/YYYYYY_realm/.well-known/openid-configuration ”http://XXXXXXXXXXXX:53711 ”
I am stuck here , It is always redirecting to /customerror?type=authError endpoint instead of app/kibana in kibana.
Thanks,
srgbnd
February 4, 2020, 9:31pm
2
This error can be caused either by improper configuration or wrong cookies in your browser. Please check this troubleshooting guide and let me know OpenID Troubleshooting | Security for Elasticsearch | Search Guard
If the guide doesn’t help put the following lines into “elasticsearch/config/log4j2.properties” and paste the elasticsearch log here
logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace
PS
ranjith
February 24, 2020, 10:48am
4
Hi Sergey,
By adding the following lines in log4j property file, I could not find more information in elastic search logs.
logger.sg.name = com.floragunn.dlic.auth.http.jwt
It is redirecting from Kibana to Keycloak correctly. But for the first time token is not setting and I get the Please Provide a new token screen from the /customerror?type=authError url
elasticsearch_1 | {“type”: “server”, “timestamp”: “2020-02-24T10:43:01,113+0000”, “level”: “ERROR”, “component”: “c.f.d.a.h.j.HTTPJwtAuthenticator”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “2t9vtZ5HRG-NDiIQUE9zSA”, “node.id”: “OpUxr35iTI2QzOB1FgZ-KA”, “message”: “Missing Signing Key. JWT authentication will not work” }
So where is my configuration improper either in kibana or elasticsearch?
It would be more helpful for me if i get more details from you for troubleshooting this.
Note: With this same setup and configuration I have implemented in version 6.3.2 , it works fine there.
srgbnd
February 24, 2020, 3:36pm
5
I don’t see the JWT configuration in your sg_config.yml. Find a configuration example below.
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
...
jwt_auth_domain:
enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded key"
jwt_header: "Authorization"
jwt_url_parameter: null
subject_key: null
roles_key: null
authentication_backend:
type: noop
Make sure you have only one authc provider with order: 0. Read the documentation to find more JSON web tokens Quick Start | Security for Elasticsearch | Search Guard
Also, double-check your signing_key value. First, you should have it. Second, make sure the value is one line. Breaking it into newlines add whitespaces in the key, making it incorrect.
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
jwt_auth_domain:
...
config:
signing_key: "base64 encoded key"
ranjith
February 25, 2020, 4:34pm
6
Hi Sergey,
But I have to connect to keycloak through openid protocol. I see documentation for that only.
Can we connect to keycloak through JWT, if yes can i get that documentation link.
My log when I use only openID in sg_config.yml is
[WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [Atomiq] Compact JWS does not have 3 parts
Also inside iframe there is no token being setted. Always I am receiving Please Provide a new token , is there anyway to fix this.
Thanks,
srgbnd
February 25, 2020, 7:19pm
7
My bad, I saw Missing Signing Key. JWT authentication will not work error in your log and assumed you are struggling to configure JWT authentication .
It seems your config is wrong somewhere. Did you check all the recommendations for troubleshooting “Please provide new token” error ?
I noticed you have SSL disabled but verify_hostnames: true. Make it verify_hostnames: false. Give me your elasticsearch.yml. And format kibana.yml and sg_config.yml you posted, it is very hard to read the config without any indentation.
Also, check this OpenID setup article Kibana Single Sign-On with OpenID and Keycloak | Search Guard
ranjith
February 25, 2020, 7:57pm
8
Hi Sergey,
I need both openid and JWT authentication to be implemented.
elastic.yml
node.name: Atomiq
network.host: 0.0.0.0
http.port: 53710
discovery.seed_hosts: ["0.0.0.0"]
cluster.initial_master_nodes: ["Atomiq"]
script.painless.regex.enabled: true
transport.port: 53720-53820
xpack.security.enabled: false
http.cors.enabled: true
http.cors.allow-origin: '*'
#http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: "X-Requested-With,X-Auth-Token,Content-Type,Content-Length, Authorization, sg_tenant"
http.cors.allow-credentials: true
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS","SGS_OWN_INDEX"]
kibana.yml
server.port: 53711
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:53710/"]
kibana.index: ".aiq"
xpack.security.enabled: false
elasticsearch.username: admin
elasticsearch.password: AiqWc123#
#searchguard.auth.type: "basicauth"
#searchguard.auth.anonymous_auth_enabled: true
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: "/pemfiles/root-ca.pem"
console.proxyConfig:
- ssl.verify: false
#csp.strict: true
csp.rules:
- "script-src 'self' 'unsafe-eval' 'unsafe-inline'"
csp.warnLegacyBrowsers: false
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "http://aiq-VirtualBox:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration"
searchguard.openid.client_id: "wilburcurtis_client"
searchguard.openid.client_secret: "069ff13c-0d39-4789-8494-636c0a202c55"
searchguard.openid.base_redirect_url: "http://aiq-VirtualBox:53711"
searchguard.openid.header: "Authorization"
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]
[sg_config.yml
---
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "intern"
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "openid"
challenge: false
config:
openid_connect_url: "http://aiq-virtualbox:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration"
subject_key: "preferred_username"
roles_key: "roles"
authentication_backend:
type: "noop"
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: "jwt"
challenge: false
config:
signing_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvzs2vxBl8otEv0K2DHPrX5fO1qM3TEJXh0lCsJ883McVlIli5glCdLyz0gNcPTV3ycHlAgGSMgFNeIiDl+ioGkOyXsOPJKKn3jPZq8KypfWzX/ybFC8+lsWFHKyF9721Va3TlyRZg6Xs44rqRzJfmjYAZrK4pLmlBuVN+JaHnfDfA7LoMuAY4gbbI3uyCcQUvZCwTEF8ec32jp7LpnjWHZTtO6mSe2qPhdlO2IlDTkFXJCtq0YPpsQl4uvF0kHCxcQJqbb4gH0o79NwmgeYy/2J9cytGOg9oJOYueAuadjC+IFmKBNK0GJ4I0v3dGWcjgEHHlv7nS5565TNNVh6/zQIDAQAB"
jwt_url_parameter: null
roles_key: "roles"
subject_key: "preferred_username"
authentication_backend:
type: "noop"
For the above configuaration, I am getting log as follows.
][WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [Atomiq] Compact JWS does not have 3 parts
elasticsearch_1 | [2020-02-25T20:07:50,395][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] [Atomiq] No JWT token found in 'Authorization' header header
elasticsearch_1 | [2020-02-25T20:07:50,396][WARN ][c.f.s.a.BackendRegistry ] [Atomiq] Authentication finally failed for null from 127.0.0.1:38100
elasticsearch_1 | [2020-02-25T20:07:50,401][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] [Atomiq] No JWT token found in 'Authorization' header header
elasticsearch_1 | [2020-02-25T20:07:50,401][WARN ][c.f.s.a.BackendRegistry ] [Atomiq] Authentication finally failed for null from 127.0.0.1:38100
elasticsearch_1 | [2020-02-25T20:07:50,597][WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [Atomiq] Compact JWS does not have 3 parts
Thanks,
ranjith
February 26, 2020, 4:07pm
9
Hi Sergey,
My configuration for openId with searchguard and keycloak is working in Browser level, But when I try to share my kibana link in a iframe application i am getting Authentication failed Please Provide a new token.
Token is not being set inside iframe application, So I am getting Authentication failure whereas token (searchguard_authentication and searchguard_cookie) is set in browser.
Please suggest on how to proceed.
Thanks,
srgbnd
February 28, 2020, 8:10am
10
The anonymous authentication can be a solution. Configuration:
sg_config.yml
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
...
http:
anonymous_auth_enabled: true
sg_roles_mapping.yml
sg_anonymous:
backend_roles:
- sg_anonymous_backendrole
sg_roles.yml
sg_anonymous:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
index_permissions:
- index_patterns:
- "public-*"
allowed_actions:
- READ
ATTENTION! Make sure sg_anonymous user doesn’t have access to the sensitive data.
You can enable it and map the anonymous user to a Search Guard role with access ONLY to the Dashboard data you want to show via iframe. The unauthenticated requests are assigned to the anonymous user and the corresponding role automatically.
The documentation:
srgbnd
February 28, 2020, 8:33am
11
I see you access Kibana via HTTP, try to set the following in your kibana.yml
searchguard.cookie.secure: false
ranjith
February 28, 2020, 12:48pm
12
Hi Sergey,
I have configured anonymous user so my Authentication finally failed for null in logs is fixed.
But I still getting Authentication failure inside iframe. When I ran my logs in debug mode and open kibana in browser i am redirected to keycloak realm then after entering the credentials in the realm, I got the following logs in elasticsearch:
[DEBUG][c.f.d.a.h.j.k.SelfRefreshingKeySet] [Atomiq] performRefresh(GNqdUa7K8bIAdxarlsJdJoHKfw8KbrPv0fhj4xr0DSU)
elasticsearch_1 | [2020-02-28T10:32:57,237][INFO ][c.f.d.a.h.j.k.SelfRefreshingKeySet] [Atomiq] Performing refresh 1
elasticsearch_1 | [2020-02-28T10:32:57,474][INFO ][c.f.d.a.h.j.k.SelfRefreshingKeySet] [Atomiq] KeySetProvider finished.
This logs are not being printed when I use kibana link from iframe . I think if kid is not being setted inside iframe .
Please suggest on this how to proceed.
Thanks,
Hi Sergey,
Can you please help me with your mail id? or you can mail to ‘ranjirajeshwari94@gmail.com’
Thanks,
srgbnd
May 4, 2020, 10:14am
16
What version of the browser do you have? Maybe you have the new SameSite restrictions enabled and that’s why you can’t authenticate? Update your web browser to be sure. They all rolled back the new SameSite settings due to COVID, for example, Chrome official statement .