OpenId Keycloak Docker

Hi everyone,

I have been trying for days to set up an OpenId opendistro stack together with a keycloak server in a docker-compose. After the login with keycloak is completed, I get a kibana opendistro screen with the message:

Authentication failed - please provide a new token.

This occurs with version 1.9 and earlier of opendistro. With versions 1.10 and 1.11 the observed behavior is an endless loop between keycloak and kibana in the browser, not ending in any kibana screen. I do not get much useful information from the logs. I do manage to run an OpenId opendistro stack directly installed on my physical debian system.

I would be more than interested in exchanging with others on this topic. I especially have two questions. First, is someone able to provide an example of a docker-compose configuration for OpenId with opendistro, or some parts of such a configuration. Second, is it required to create users with some specific roles in Elasticsearch (for instance using the opendistro security REST API) and the same users in Keycloak ? It would be very useful for me to get details on this part too.

Best regards,


Hi, did you found a solution for the infinite loop ?

I’m experiencing the same issue.

Thanks a lot

For second question: You do not need to create the same user in Elasticsearch. With user in keycloak and subject_key: email in elasticsearch config.yaml file you may add email address to role mapping yaml file and user will have role assigned to it. Also you may have roles_key: roles in config.yaml file and create role in keycloak with same name as in Kibana, assign to user ( in clients config add User Client Roles with name roles and Token Claim Name: roles) and this role will be assigned to user in Kibana too. I will check my docker-compose config files and post them here later

This configuration is working for me: Docker-compose file for Elasticsearch+Kibana+Keycloak with configuration files · GitHub . Before it will start working you need to add admin user to oauth2 realm in keycloak. I used “admin” password and email address. Rest of configuration files are default from odfe docker-compose. Admin user for keycloak: admin/admin. The same is for kibana/elasticsearch: admin/admin. Also remember that kibana has to start after keycloak is ready, otherwise security plugin will fail to initialize. I usually restart kibana after login to keycloak console

Thank you so much for your answer and time.
I’m using Helm to install the opendistro version on GCP (Kubernetes)

I’ll try to convert what you proposed from your docker-compose and configuration file in the values.yaml file.

I’ll keep you posted.

Thanks again

1 Like