I’ve setup oidc authentication on kibana and elasticsearch. I’m able to connect with oidc to elasticsearch but I’ve got trouble making kibana authentication working.
When I connect to kibana it sends me to keycloak and the authentication is working well. keycloak sends me back to
In elasticsearch logs I’m also seeing kibana to authenticate me with the provided token:
[2020-05-26T17:24:21,964][DEBUG][c.a.o.s.a.BackendRegistry] [rdfoelk01] Rest user ‘User [name=xxxxxxt@google.com, backend_roles=, requestedTenant=null]’ is authenticated
No I haven’t found a solution. I’ve stopped searching for the moment but I will be happy to hear about one. I will have soon or later to be able to implement it
We are using adfs instead of keycloak.
After some testing I have found out that:
ElastichSearch has no problemen accepting token. Manual requets work fine.
When adding a reserve proxy between kibana en Elastich. Kibana does not make any request to ElasticSearch during login.
kibana home
Kibana auth/login
Adfs login
Kibana oidc callback
Kibana home
kibana auth/login
etc
I found out that on loading the kibana home page the security_authentication cookie is set to null.
We use short lived tokens and when ik crease the token lifetime to 480 minutens I can login with OIDC without a problem.
But not with our default token lifetime of 15 minuten.
The short access tokens was 1 of the security requirements of our current project, so for production I cannot change this. Any idea why kibana does not like the short lived token?
Note:
I did check the time between my client and server machine, but they are in sync.
I tried setting opendistro_security.cookie.secure: true with opendistro_security.cookie.password. But that does not change anything.