Issue with openid/keycloak causing infinite redirects with Helm

I have been trying to set up a Helm deployment with kibana set up to work with keycloak with AzureAD as an Identity Provider.

It works in the sense that when I go to kibana, it forwards me to keycloak, authenticates me and sends me back to kibana. But then kibana doesn’t know I’m authenticated and sends me back again and so on until I get an error for redirect loop.

This is ODFE 1.13.1

I configured the keycloak client with “Authorization Code Flow”. It has “https://kibana.my.domain.azure.com/” as base/root URI and “https://kibana.my.domain.azure.com/auth/openid/login” as redirect URIs

I’m using a config.yml as so:

_meta:
  type: "config"
  config_version: 2
config:
  enable_ssl: true
  verify_hostnames: false
  pemtrustedcas_filepath: "/usr/share/elasticsearch/certs/elk-rest-root-ca.pem"
  dynamic:
    filtered_alias_mode: "warn"
    disable_rest_auth: false
    disable_intertransport_auth: false
    respect_request_indices_options: false
    license: null
    #kibana:
    #  multitenancy_enabled: true
    #  server_username: kibanaserver
    #  index: '.kibana'
    http:
      anonymous_auth_enabled: false

    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://keycloak.my.domain.azure.com/auth/realms/artika/.well-known/openid-configuration
        authentication_backend:
          type: noop

With the relevant values in the Helm config being

    opendistro_security.cookie.secure: true
    opendistro_security.cookie.password: "zzzzzzz"
    elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant","jwtToken", "securitytenant"] 
    opendistro_security.auth.type: "openid"
    opendistro_security.openid.connect_url: "https://keycloak.my.domain.azure.com/auth/realms/artika/.well-known/openid-configuration"
    opendistro_security.openid.client_id: "elastic"
    opendistro_security.openid.client_secret: "yyyyyyyyy"
    opendistro_security.openid.base_redirect_url: "https://kibana.my.domain.azure.com/" 
    opendistro_security.openid.root_ca: "/usr/share/kibana/certs/kibana-root-ca.pem" 

And here is what it looks like in the network tab:

I have exactly the same problem. The initial foward to keycloak works as expected, authentication and code to token exchange seems to work. But Kibana still keeps redirecting to keycloak in a loop.

@gdd314596 Can you try “https://kibana.my.domain.azure.com/*” as redirect URIs?

What proxy do you use?

So we did get this working and I’ll provide a snippet from the working config.yaml . The key is to have OAuth go first and add exceptions for some roles - i believe OAuth will authenticate the user but then do actions as the kibanaserver user so we don’t want to try to OAuth that.

    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal

      openid_auth_domain:
        description: "Authenticate via OAuth"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://mykeycloak.azure.com/auth/realms/MYREALM/.well-known/openid-configuration
            openid_connect_idp.enable_ssl: true
            openid_connect_idp.verify_hostnames: true
            openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/elk-transport-root-ca.pem"
            jwks_uri:  https://mykeycloak.azure.com/auth/realms/MYREALM/protocol/openid-connect/certs
            skip_users:
              - kibanaro
              - kibanaserver
              - logstash
              - adminp
              - admin
              - filebeat_internal
              - kibanauser
        authentication_backend:
          type: noop