So we did get this working and I’ll provide a snippet from the working config.yaml . The key is to have OAuth go first and add exceptions for some roles - i believe OAuth will authenticate the user but then do actions as the kibanaserver user so we don’t want to try to OAuth that.
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
openid_auth_domain:
description: "Authenticate via OAuth"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://mykeycloak.azure.com/auth/realms/MYREALM/.well-known/openid-configuration
openid_connect_idp.enable_ssl: true
openid_connect_idp.verify_hostnames: true
openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/elk-transport-root-ca.pem"
jwks_uri: https://mykeycloak.azure.com/auth/realms/MYREALM/protocol/openid-connect/certs
skip_users:
- kibanaro
- kibanaserver
- logstash
- adminp
- admin
- filebeat_internal
- kibanauser
authentication_backend:
type: noop