JWT authentication for Kibana

Hi, I am new to Opendistro and I am trying to set up the jwt authentication mode for Kibana.
In my config.yml i have:

enabled: true
http_enabled: true
transport_enabled: true
order: 0
type: jwt
challenge: false
signing_key: "oeRaYY7Wo24sDqKSX3IM9ASGmdGPmkTd9jo1QTy4b7P9Ze5_9hKolVX8xNrQDcNRfVEdTZNOuOyqEGhXEbdJI-ZQ19k_o9MI0y3eZN2lp9jow55FfXMiINEdt1XR85VipRLSOkT6kSpzs2x-jbLDiz9iFVzkd81YKxMgPA7VfZeQUm4n-mOmnWMaVX30zGFU4L3oPBctYKkl4dYfqY>
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: “roles”
subject_key: “sub”
type: noop

The kibana.yml is:

server.name: kibana
server.host: “0”
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.auth.type: “jwt”
opendistro_security.cookie.secure: false
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false

Finally, i executed a GET request with Postman to my client after generating a valid access token and I got the following error:


"statusCode": 401,

"error": "Unauthorized",

"message": "Authentication error"


Can anyone please help me? Thank you

Hi @Potapyc can you please confirm that the value in signing_key (in config.yml) is base64 encoded. Can you please also check if you are missing closing quotations marks in signing_key.

If this is all in order, can you confirm that the JWT includes a role under “roles” which is mapped in odfe via roles mapping. For testing purposes I’d recommend to put role as admin in jwt as this will be automatically mapped to admin with full access (assuming this part of odfe was not changed). Also make sure the expiration timestamps are valid in JWT.

Hi @Anthony, thank you for taking the time to answer and sorry for the delay :-).
Yes, I have verified that the signing_key is base64 encoded and I’m not missing quotation marks.
As for the JWT, here is the unencoded JSON of the payload:

“roles”: “admin”,
“iss”: “http://localhost”,
“sub”: “admin”,
“exp”: 1618493640

So, following your suggestion, I have the admin role under “roles”. However I keep getting the same error:

{ “statusCode”: 401, “error”: “Unauthorized”, “message”: “Authentication Exception” }

I should also mention that my OpenDistro version is 1.13.1 and that I am following this guide to set up the configuration:

Use JSON Web Tokens (JWTs) to Authenticate in Open Distro for Elasticsearch and Kibana | AWS Open Source Blog (amazon.com)

It is not clear to me from your answer whether I need to make changes to the roles_mapping.yml, which until now I have not modified. Perhaps the roles mapping is not done correctly?
Thanks again for your help