OpenID Setup Issue

Hi,

Got that issue currently with the 0.9.0 release when setting up the OpenID security plugin.

This issue occurs without any calls being executed to Keycloak.

Configuration

opendistro_security:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
enable_ssl: true
verify_hostnames: false
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak:8000/auth/realms/xxx/.well-known/openid-configuration
authentication_backend:
type: noop

Error Trace

elasticsearch_1 | [2019-06-06T15:48:40,956][WARN ][o.a.c.r.s.j.j.JwsCompactConsumer] [elasticsearch] Compact JWS does not have 3 parts
elasticsearch_1 | [2019-06-06T15:48:40,956][DEBUG]> [c.a.o.s.a.BackendRegistry] [elasticsearch] ‘org.apache.cxf.rs.security.jose.jws.JwsException: INVALID_COMPACT_JWS’ extracting credentials from jwt-key-by-oidc http authenticator
elasticsearch_1 | org.apache.cxf.rs.security.jose.jws.JwsException: INVALID_COMPACT_JWS
elasticsearch_1 | at org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer.(JwsCompactConsumer.java:52) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
elasticsearch_1 | at org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer.(JwsJwtCompactConsumer.java:27) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]

I have the same exact issue using coreos Dex. Any ideas?

I will make another try with 1.0.0

Does not work in 1.0.2 still …

It is now working as expected.

The documentation was right, it was just missing the usual caveats of using self-signed CA / certificates along the connectivity between Elasticsearch / Kibana and Keycloak.

Hi @lpourrat What changes did you make it to work. I’m also facing same issues.