I have been trying for days to set up an OpenId opendistro stack together with a keycloak server in a docker-compose. After the login with keycloak is completed, I get a kibana opendistro screen with the message:
Authentication failed - please provide a new token.
This occurs with version 1.9 and earlier of opendistro. With versions 1.10 and 1.11 the observed behavior is an endless loop between keycloak and kibana in the browser, not ending in any kibana screen. I do not get much useful information from the logs. I do manage to run an OpenId opendistro stack directly installed on my physical debian system.
I would be more than interested in exchanging with others on this topic. I especially have two questions. First, is someone able to provide an example of a docker-compose configuration for OpenId with opendistro, or some parts of such a configuration. Second, is it required to create users with some specific roles in Elasticsearch (for instance using the opendistro security REST API) and the same users in Keycloak ? It would be very useful for me to get details on this part too.
For second question: You do not need to create the same user in Elasticsearch. With user in keycloak and subject_key: email in elasticsearch config.yaml file you may add email address to role mapping yaml file and user will have role assigned to it. Also you may have roles_key: roles in config.yaml file and create role in keycloak with same name as in Kibana, assign to user ( in clients config add User Client Roles with name roles and Token Claim Name: roles) and this role will be assigned to user in Kibana too. I will check my docker-compose config files and post them here later
This configuration is working for me: Docker-compose file for Elasticsearch+Kibana+Keycloak with configuration files · GitHub . Before it will start working you need to add admin user to oauth2 realm in keycloak. I used “admin” password and firstname.lastname@example.org email address. Rest of configuration files are default from odfe docker-compose. Admin user for keycloak: admin/admin. The same is for kibana/elasticsearch: admin/admin. Also remember that kibana has to start after keycloak is ready, otherwise security plugin will fail to initialize. I usually restart kibana after login to keycloak console
I found more information in log. I found error when elastic node talk to keycloak about certificate error. I regenerate all certificates and use your docker-compose file again then the system working as expected.
I’m experiencing the same issue with infinity loop
I want to reproduce your docker-compose file
I have a question
Where can i get volumes data1 sysctl?
Can you give me more detailed instructions to start it, please