OIDC authentication failing - unkwown kid

#1

I tried to setup OpenID following the instructions and I am running into an issue where the security plugin is not able to extract the attributes from the JWT token, because of unknown keyID.

Here is the stack-trace and the config files for Kibana and Elastic.

odfe-node1    | [2019-04-26T02:47:59,672][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [mqs9XQT] Extracting JWT token from eyg.......RESTOFTOKEN....ryry failed
odfe-node1    | com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid ACTUALKEYIDVALUE
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet.getKeyWithKeyId(SelfRefreshingKeySet.java:118) ~[opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet.getKey(SelfRefreshingKeySet.java:58) ~[opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:41) ~[opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials0(AbstractHTTPJwtAuthenticator.java:103) [opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.access$000(AbstractHTTPJwtAuthenticator.java:45) [opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator$1.run(AbstractHTTPJwtAuthenticator.java:85) [opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator$1.run(AbstractHTTPJwtAuthenticator.java:82) [opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at java.security.AccessController.doPrivileged(Native Method) [?:?]
odfe-node1    | 	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials(AbstractHTTPJwtAuthenticator.java:82) [opendistro_security_advanced_modules-0.8.0.0.jar:0.8.0.0]
odfe-node1    | 	at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authenticate(BackendRegistry.java:448) [opendistro_security-0.8.0.0.jar:0.8.0.0]

--kibana.yml
opendistro_security.multitenancy.enabled: true
opendistro_security.auth.type: openid
opendistro_security.openid.connect_url: https://.../.well-known/openid-configuration
opendistro_security.openid.client_id: {myID}
opendistro_security.openid.client_secret: {mySecret}

–config.yml (Elastic)

basic_internal_auth_domain: 
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
openid_auth_domain:
        enabled: true
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: sub
            roles_key: roles
            openid_connect_url: https://.../.well-known/openid-configuration
        authentication_backend:
          type: noop