search

opendistro-for-elasticsearch / security-kibana-plugin

Apache License 2.0
3 stars 12 forks source link

OpenId login with https #12

Open Artain opened 3 years ago

Artain commented 3 years ago

I try to login to my Kibana instance with openid. I configured everything as it is described in the docs. But get always a 401 Error when I try to open the Kibana URL. I found a lot of people with similar problems but all the issues on your Github pages are deleted. The Url which redirects Kibana to is: https://kibana.domain:5601/auth/openid/login?nextUrl=%2F

I tried to make the logs more verbose but the suggestion on the openid troubleshoot site in the docs doesn't change anything. If I make the Kibana loggs more verbose I just get the info that the call was redirected to the URL mentioned above.

After ALOT of testing I found out my ES config seems to be fine. Because if I use a http URL to Keycloak in the kibana.yml everything works. I can login and everything. But as soon as I use the https URL, in the kibana.yml I get this strange redirect.

(I set all the elasticsearch configuration in the docker-compose file, as well as the kibana https certificate, etc)

Kibana.yml

elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

# Use this setting if you are running kibana without https
opendistro_security.cookie.secure: false

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false

# Enable OpenID authentication
opendistro_security.auth.type: "openid"

# The IdP metadata endpoint
opendistro_security.openid.root_ca: "/usr/share/kibana/config/root-ca.pem"
opendistro_security.openid.connect_url: "https://keycloak.domain:8443/auth/realms/client/.well-known/openid-configuration"
opendistro_security.allow_client_certificates: true
opendistro_security.openid.base_redirect_url: "https://kibana.domain:5601/"
logging.verbose: true

# The ID of the OpenID Connect client in your IdP
opendistro_security.openid.client_id: "kibana-sso"

# The client secret of the OpenID Connect client
opendistro_security.openid.client_secret: "secret"

The certificate is selfsigned but the root certificate is present for Kibana. I use all the official docker container. Currently running the version 1.13.1

Artain commented 3 years ago

@srlucken I'm not 100% sure what you mean but in my Idp-client I simply allow all URIs from Kibana https://kibana.domain* as far as I know you can't set a redirect URL in OIDC you can only allow which URIs are valid. The redirect URL itself is set by the caller. That's why I set opendistro_security.openid.base_redirect_url if you don't set the redirect URL in the caller your OIDC should redirect you back from where you came if a referer is set. If you don't have anything set your Idp shouldn't redirect at all.