Kibana oidc with keycloak perpetual redirect

I’ve setup oidc authentication on kibana and elasticsearch. I’m able to connect with oidc to elasticsearch but I’ve got trouble making kibana authentication working.

When I connect to kibana it sends me to keycloak and the authentication is working well. keycloak sends me back to

http://< kibana url >/auth/openid/login?state=9IuHAymLGrl4DFLuMOtOnV&session_state=617a78d3-2f03-4c02-a5f6-9574dcc97d74&code=8c9df718-43cb-4778-bdb7-d9a22c057c95.617a78d3-2f03-4c02-a5f6-9574dcc97d74.8a3dcaca-4143-4863-b41c-a6904e939064

This url sends me back to kibana base url

http://< kibana url >/

But this send me back again to

http://< kibana url >/auth/openid/login?nextUrl=%2F

It does that several times before send me to

http://< kibana url >/customerror?type=authError

When I look at keycloak logs, I’m seeing kibana requesting the token correctlt:

type=CODE_TO_TOKEN, realmId=36fa5b28-300a-482c-aff9-f2be4448b24d, clientId=kibana-sso, userId=f4ea43e6-62f3-4eab-862b-a6faf38c3722, ipAddress=10.25.22.164, token_id=220015d3-efc5-4f86-b7f9-36832fdf8c0e, grant_type=authorization_code, refresh_token_type=Refresh, scope=‘openid phone email profile address’, refresh_token_id=056d8ddb-3256-4d84-9685-58b92e3e6bbe, code_id=617a78d3-2f03-4c02-a5f6-9574dcc97d74, client_auth_method=client-secret

In elasticsearch logs I’m also seeing kibana to authenticate me with the provided token:

[2020-05-26T17:24:21,964][DEBUG][c.a.o.s.a.BackendRegistry] [rdfoelk01] Rest user ‘User [name=xxxxxxt@google.com, backend_roles=, requestedTenant=null]’ is authenticated

Any insight on what’s wrong?

An answer will be appreciated

I still haven’t found a solution. If someone can help. Thank you

Did you found a solution, I’m having exacly the same problem

Thanks a lot

No I haven’t found a solution. I’ve stopped searching for the moment but I will be happy to hear about one. I will have soon or later to be able to implement it

Could you please share your configuration files? (elasticsearch.yml, kibana.yml, securityconfig/config.yml)

Same problem,
Did anyone find a solution?

@CodeGlitcher

Can you share your configs? (kibana.yml, config.yml and keycloak config)

We are using adfs instead of keycloak.
After some testing I have found out that:
ElastichSearch has no problemen accepting token. Manual requets work fine.
When adding a reserve proxy between kibana en Elastich. Kibana does not make any request to ElasticSearch during login.

kibana home
Kibana auth/login
Adfs login
Kibana oidc callback
Kibana home
kibana auth/login
etc

I found out that on loading the kibana home page the security_authentication cookie is set to null.

We use short lived tokens and when ik crease the token lifetime to 480 minutens I can login with OIDC without a problem.
But not with our default token lifetime of 15 minuten.
The short access tokens was 1 of the security requirements of our current project, so for production I cannot change this. Any idea why kibana does not like the short lived token?

This is my kibana.yml.

# https://www.elastic.co/guide/en/kibana/current/settings.html
server.name: kibana
server.host: "0"
logging.verbose: true
server.rewriteBasePath: false
elasticsearch.hosts: ${ELASTICSEARCH_HOSTS}
elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant", "x-forwarded-for", "x-forwarded-by"]
elasticsearch.ssl.certificateAuthorities: /etc/pki/ca.crt
elasticsearch.ssl.verificationMode: none

elasticsearch.username: "kibanaserver"
elasticsearch.password: ${ES_KIBANA_SERVER_PASSWORD}

# disable multitenancy
opendistro_security.multitenancy.enabled: false

server.ssl.enabled: true
server.ssl.certificateAuthorities: /etc/pki/ca.crt
server.ssl.certificate: /etc/pki/kibana.crt
server.ssl.key: /etc/pki/kibana.key.pk8
server.ssl.keyPassphrase: ${SSL_KEY_PASSPHRASE}

opendistro_security.auth.type: "${AUTH_TYPE}"
#opendistro_security.auth.type: "basicauth"
opendistro_security.openid.connect_url: "${OPENID_CONNECT_URL}"
opendistro_security.openid.client_id: "${OPENID_CLIENT_ID}"
opendistro_security.openid.client_secret: "${OPENID_CLIENT_SECRET}"
opendistro_security.openid.base_redirect_url: "${OPENID_BASE_REDIRECT_URL}"
opendistro_security.openid.root_ca: /etc/pki/ca.crt
opendistro_security.openid.scope: "openid profile"
opendistro_security.cookie.secure: false
telemetry.enabled: false

Note:
I did check the time between my client and server machine, but they are in sync.
I tried setting opendistro_security.cookie.secure: true with opendistro_security.cookie.password. But that does not change anything.

I found that Kibana gets redirected when the token is too large.

Elasticsearch have issues with accepting a token larger then 4KB. When keycloak provides larger token Kibana falls into redirection loop.

Quick fix for that is to limit “Scope” and “Client Scopes” in the Keycloak client. Or just get both lists clean.