Kibana OpenID Connect does not redirect to IDP (IdentityServer4)

I’ve been trying to get this working for a few days now, but no luck. The expectation here is that if the user is not authenticated, Kibana should redirect to the IDP login endpoint. This does not happen. Instead, I keep getting the following response when I try to access Kibana for the first time:

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

The logs indicate that Kibana does route from the root to the oidc route. But from there, it does not redirect to the idp auth endpoint for some reason. I should add that if I manually inject a valid token to the request, Kibana does allow access using the user in the token.

The redirect to the identity provider does not happen.

Any help would be greatly appreciated!

Kibana logs:

{“type”:“log”,“timestamp”:“2020-12-18T00:07:30Z”,“tags”:[“debug”,“http”,“server”,“Kibana”,“cookie-session-storage”],“pid”:11360,“message”:“Error: Unauthorized”}

{“type”:“response”,“timestamp”:“2020-12-18T00:07:30Z”,“tags”:,“pid”:11360,“method”:“get”,“statusCode”:401,“req”:{“url”:"/favicon.ico",“method”:“get”,“headers”:{“cache-control”:“no-cache”,“connection”:“Keep-Alive”,“pragma”:“no-cache”,“accept”:“image/avif,image/webp,image/apng,image/,/;q=0.8",“accept-encoding”:“gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9”,“host”:"",“max-forwards”:“10”,“referer”:"/auth/openid/login?nextUrl=%2F",“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”,“sec-ch-ua”:"“Google Chrome”;v=“87”, " Not;A Brand";v=“99”, “Chromium”;v=“87"”,“sec-ch-ua-mobile”:"?0",“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“no-cors”,“sec-fetch-dest”:“image”,“x-original-url”:"/favicon.ico",“x-forwarded-for”:"<>",“x-arr-ssl”:"",“x-arr-log-id”:“7f42fe43-8902-4bcd-8c32-8ea1c533d80a”},“remoteAddress”:"<**>”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”,“referer”:"/auth/openid/login?nextUrl=%2F"},“res”:{“statusCode”:401,“responseTime”:0,“contentLength”:9},“message”:“GET /favicon.ico 401 0ms - 9.0B”}

config.yml
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: “internal”
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: <subject_key>
roles_key: <role_key>
openid_connect_url: /.well-known/openid-configuration
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: “”
authentication_backend:
type: noop
authz:

kibana.yml
opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “/.well-known/openid-configuration”
opendistro_security.openid.client_id: <client_id>
opendistro_security.openid.client_secret:
opendistro_security.openid.scope: “openid profile web.api”
opendistro_security.openid.base_redirect_url: “<kibana_host>”
opendistro_security.openid.root_ca: “<path_to_cert>”
opendistro_security.openid.verify_hostnames: false

I’m using the latest version of opendistro ES and Kibana and also running into this issue.

Very similar setup as described above, basically everything taken from the documentation verbatim.

1 Like

These open issues on github seem related to this.

it looks like the oidc auth handler route isn’t being parsed correctly in the kibana plugin.

In case anyone finds this thread via search: this ticket is related too.