Searchguard Open ID autherror using Keycloak

Hi,

I always get the auth error please provide a new token while embedding kibana link in iframe.
I am using kibana and elasticsearch version 7.2.

My Elasticsearch log:
{“type”: “server”, “timestamp”: “2020-01-31T10:04:31,997+0000”, “level”: “WARN”, “component”: “c.f.s.a.BackendRegistry”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “uuXopN_vTJuQrzLc-iCuYA”, “node.id”: “vBn-sqx3S1qAm1IJksPPJQ”, “message”: “Authentication finally failed for null from 127.0.0.1:55474” }
elasticsearch_1 | {“type”: “server”, “timestamp”: “2020-01-31T10:04:32,001+0000”, “level”: “WARN”, “component”: “c.f.s.a.BackendRegistry”, “cluster.name”: “elasticsearch”, “node.name”: “Atomiq”, “cluster.uuid”: “uuXopN_vTJuQrzLc-iCuYA”, “node.id”: “vBn-sqx3S1qAm1IJksPPJQ”, “message”: “Authentication finally failed for null from 127.0.0.1:55474” }

My sg_config.yml configuration file

_sg_meta:
type: “config”
config_version: 2
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: “192\.168\.0\.10|192\.168\.0\.11”
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “intern”
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: “openid”
challenge: false
config:
openid_connect_url: “http://XXXXXXXXXX:8090/auth/realms/Wilburcurtis_realm/.well-known/openid-configuration
subject_key: preferred_username
roles_key: roles
authentication_backend:
type: “noop”
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “localhost:8389”
bind_dn: null
password: null
rolebase: “ou=groups,dc=example,dc=com”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “ou=people,dc=example,dc=com”
usersearch: “(uid={0})”
roles_from_another_ldap:
description: “Authorize via another Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”

My kibana.yml is:

server.port: 53711
server.host: “0.0.0.0”
elasticsearch.hosts: [“http://localhost:53710/”]
kibana.index: “.aiq”
xpack.security.enabled: false
elasticsearch.username: admin
elasticsearch.password: AiqWc123#
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: “/pemfiles/root-ca.pem”
csp.rules:

  • “script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’”
    console.proxyConfig:
    • ssl.verify: false
      csp.warnLegacyBrowsers: false
      searchguard.auth.type: “openid”
      searchguard.openid.connect_url: “http://XXXXX:8090/auth/realms/YYYYYY_realm/.well-known/openid-configuration
      searchguard.openid.client_id: “yyyyyy_client”
      searchguard.openid.client_secret: “3fc5417a-3457-46d5-b2a4-eeff34168b4e”
      searchguard.openid.base_redirect_url: “http://XXXXXXXXXXXX:53711
      elasticsearch.requestHeadersWhitelist: [“Authorization”, “sgtenant”, “jwtheader”, “Basic Authorization”, “WWW-Authenticate Basic”, “x-forwarded-for”, “x-forwarded-by”, “x-proxy-user”, “x-proxy-roles”]

I am stuck here , It is always redirecting to /customerror?type=authError endpoint instead of app/kibana in kibana.
It would be more helpful, if anyone help me on this.

Thanks,
Ranjith

This error can be caused either by improper configuration or wrong cookies in your browser. Please check this troubleshooting guide and let me know https://docs.search-guard.com/latest/troubleshooting-openid#openid-troubleshooting

If the guide doesn’t help put the following lines into “elasticsearch/config/log4j2.properties” and paste the elasticsearch log here

logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace

PS
Please format all log and config in you post with backquotes to make it readable.