Redirect Mismatch Error (OIDC - AWS Cognito)

firabby · December 3, 2019, 8:39am

I am trying to add OpenID Connect with opendistro elasticsearch and kibana using AWS Cognito.

Here is my config.yml for security plugin:

   basic_internal_auth_domain:
             description: "Authenticate via HTTP Basic against internal users database"
             http_enabled: true
             transport_enabled: true
             order: 0
             http_authenticator:
               type: basic
               challenge: false
             authentication_backend:
               type: internal
 
     openid_auth_domain:
             http_enabled: true
             transport_enabled: true
             order: 1
             http_authenticator:
               type: openid
               challenge: false
               config:
                 subject_key: sub
                 roles_key: roles
                 openid_connect_url: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-XXXXXXXX/.well-known/openid-configuration
             authentication_backend:
               type: noop

and kibana.yml looks like:

opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-XXXXXXXXXX/.well-known/openid-configuration"
opendistro_security.openid.client_id: "XXXXXXXXXXXX"
opendistro_security.openid.client_secret: "XXXXXXXXXXXXXXXXXXXXXXXXXXX"
opendistro_security.openid.base_redirect_url: "https://subdomain.domain.tld:5601"

the callback url in AWS Cognito User Poll App Client is set to:

https://subdomain.domain.tld:5601

When I go to https://subdomain.domain.tld:5601 it redirects to cognito hosted ui for auth but gives error?error=redirect_mismatch&client_id=XXXXXXXXXXXXXXXXXX error

How do I solve this problem?

Recursive · December 20, 2019, 10:08pm

I’m having the same issue. Does anyone know what is happening?

Ech0 · May 6, 2020, 6:55pm

Has this been resolved? I am also having this issue.

abhinav · July 16, 2020, 10:09pm

Has any one resolved this? I am also facing this issue

saqi · August 28, 2020, 4:16am

same here any solutions?

nick_cloud · July 15, 2021, 4:00pm

Digging up a bit of a dead thread, but I’ve scoured the forums and don’t see anyone getting any further with this,
Did anyone resolve this?

Just as OP described, I have an identical value in the Cognito “Callback URLs” entry as the opendistro_security.openid.base_redirect_url property in kibana.yml.

I also tried:

Setting it as expected
Setting opendistro_security.openid.base_redirect_url with a trailing suffix of /app/home etc (but the property name is base_ so I presume it really doesn’t want it
Commenting out the opendistro_security.openid.base_redirect_url property, as the docs describe it’s optional

No matter what I do I always get the error=redirect_mismatch issue in the URL.
Tracing this with browser debug tools, I see the following occurs:

HTTP 302 from Cognito with https://<chosenid>.auth.<region>.amazoncognito.com with params client_id, type, scope and redirect_uri - and the URI looks identical to that in my kibana.yml
HTTP 302 from my Kibana with https://<kibanabaseurl>/?code=<code from cognito>
HTTP 302 from my Kibana with https://<kibanabaseurl>/auth/openid/login?nextUrl=?code=<code from cognito>
HTTP 302 against Cognito again with https://<chosenid>.auth.<region>.amazoncognito.com/oauth2/authorize? with all the same params as before, except this time redirect_uri has a different path after an identical base url, of https://<kibanabaseurl>/auth/openid/login&state=<code>&scope=<scopes>
HHTTP 400, error=redirect_mismatch back from Cognito

Note: I saw online some people trying to use http:// (plaintext). I presume you must use https:// - not only because I think OAuth says you must, but because the Cognito dashboard will only accept an https:// URL for the Callback URL field.

Did anyone get this to work?

Edit: After re-reading my post the issue became a bit clearer, although I have not resolved it yet.

As described, a request is made against Cognito. It then returns to Kibana, which then redirects to run another request against Cognito. I’m not 100% sure on why, I guess it’s an OpenIDConnect or OAuth thing - the first one gets the code, and the second one appears to authorize it?

However, there-in lies the issue. When the first request is run against Cognito the redirect_uri matches as configured in Cognito with just the base URL (and optionally also specified in kibana.yml) identically. When the second request is run the URI includes the /auth/openid/login path suffix - which I believe then makes it fail as it does not match.

Re-reading the docs, the Callback URL(s) and Sign out URL(s) fields in the Cognito config actually accept multiple URLs - they have to be comma separated. The next obvious option appeared to be to specify both https://<kibanaserver> and https://<kibanaserver>/auth/openid/login.

Specifying both though does not resolve this. Now I end up with the first request succeeding as usual followed by the second request causing error=invalid_request&error_description=invalid_scope. Having had scope issues previously I am not sure if this is evaluated before or after the redirect issue - it is definitely possible to get this issue before the redirect value is considered. Following this is ends up in a loop between the second request attempt and the server rejecting it, until the browser stops it and displays an error related to too many redirects.

At any rate, it’s very peculiar. Reading the OpenIDConnect spec it sounds like the app (i.e. Kibana) should define the redirect URL. I understand that some identity providers also offer features (or is required?) where the identity provider then also allows you to set permissable values - presumably to prevent some sort of security issue - but this AWS setting appears to control where it goes and is not just a suggestion.
To show this, you can easily try yourself - simply set your callback URL to a fake URL in the Cognito GUI, and hit Launch Hosted UI or trigger the flow via your app and after the initial authentication AWS will re-direct you to your location specified in the AWS console, totally ignoring what the client said
(no guarantees I haven’t misunderstood the spec though!)

Nagaraja · December 22, 2023, 6:57pm

Facing same issue, any solutions ?

Mantas · January 5, 2024, 2:01pm

Hi @Nagaraja,

Could you elaborate a bit more on your issue?
First of all, are you using Open Distro or OpenSearch and which version?

Thanks,
mj

Nagaraja · January 10, 2024, 9:21am

Hi @Mantas , I’m using Opensearch, and version is 2.11x, i followed the docs , below is configuration details of config.yaml and opensearch-dashboards.yml

config.yml:
_meta:
type: “config”
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: “sub”
roles_key: “cognito:groups”
openid_connect_url: “https://cognito-idp.us-east-2.amazonaws.com/cognito user pool id/.well-known/openid-configuration”
client_id: “xxxxxx”
client_secret: “xxxxxxxx”
skip_users:
- kibanaro
- kibanaserver
- logstash
- adminp
- admin
- filebeat_internal
- kibanauser
authentication_backend:
type: noop

opensearch-dashboards.yml:
opensearch.hosts: [https://localhost:9200]

opensearch.ssl.verificationMode: none

opensearch.username: admin

opensearch.password: <admin_pw>

opensearch_security.multitenancy.enabled: false

opensearch_security.multitenancy.tenants.preferred: [“Global”]

opensearch_security.multitenancy.tenants.enable_private: false

opensearch_security.multitenancy.tenants.enable_global: true

opensearch_security.readonly_mode.roles: [“kibana_read_only”]

opensearch_security.cookie.secure: false

opensearch_security.auth.type: [“basicauth”, “openid”]

#opensearch_security.auth.type: “openid”

opensearch_security.openid.client_id: “Xxxxxxx”

opensearch_security.openid.client_secret: “xxxxxxx”

opensearch_security.openid.connect_url: “https://cognito-idp.us-east-2.amazonaws.com/cogntouserpoolid/.well-known/openid-configuration”

opensearch_security.auth.multiple_auth_enabled: true

opensearch.requestHeadersAllowlist: [“Authorization”, “security_tenant”]

opensearch_security.openid.logout_url: “”

opensearch_security.openid.base_redirect_url: “”

Mantas · January 10, 2024, 12:03pm

Hi @Nagaraja,

As this topic is about “opendistro” would you mind opening a new topic for your issue as it will be more beneficial for the community?

Please be clear about what are you using how you deploy and what idp you are setting up.

(tip: when copy/past any code please use the Ctrl+e or :
)

Thanks,
mj

Topic		Replies	Views
OpenID Connect Authentication Issue Security	11	5425	September 14, 2020
OpenID Configuration Problems Security	2	724	December 18, 2020
No redirect to oidc with security plugin Security	1	623	May 10, 2021
OpenId with opendisto 1.12 Security	7	2437	March 18, 2021
"authType is openid" error message Security	1	1909	April 15, 2021

Redirect Mismatch Error (OIDC - AWS Cognito)

Related Topics