search

opendistro-for-elasticsearch / security-kibana-plugin

Apache License 2.0
3 stars 12 forks source link

Kibana logout not working when logout is initiated from keycloak #17

Open aggarwalShivani opened 3 years ago

aggarwalShivani commented 3 years ago

Versions used: Kibana(oss): 7.10.2 Opendistro-security - 1.13.1.0

Issue: Kibana logout not working with single-sign out and with OP (keycloak) initiated logout.

Scenario - Kibana is installed with openid_auth enabled. If we login to kibana and logout from it, it works fine. However, if we login to the kibana UI (say as testuser) and then logout/terminate the active sessions of this user from keycloak admin console, keycloak does not show any active sessions for the user, however, kibana UI does not logout, stays logged in as testuser and remains accessible. Only a) if we explicitly log out from kibana UI's logout button or b) if we delete the security_authentication cookies created by Kibana in the browser, only then kibana logs out and redirects to authentication page.

Tried two approaches :

  1. Configuring opendistro_security.openid.logout_url: opendistro_security.openid.logout_url | The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata. The metadata endpoint url of my keycloak server does publish the end_session_endpoint" as https://{{ip}}/auth/realms//protocol/openid-connect/logout". As per the document, tried explicitly configuring: opendistro_security.openid.logout_url: https://{{ip}}/auth/realms/{{realm}}/protocol/openid-connect/logout , but this did not help.

  2. Configuring Backchannel Logout URL for the client in keycloak As per keycloak, Backchannel logout url is URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout request will be sent to the client in this case. Configured the backchannel logout url as kibana logout url i.e. backchannel logout url: https://{{kibana:5601}}/api/v1/auth/logout With this too, the behaviour remains same and kibana does not log out.

Kibana logs on triggering logout from keycloak - {"type":"response","@timestamp":"2021-10-27T08:38:36Z","tags":[],"pid":10,"method":"post","statusCode":400,"req":{"url":"/api/v1/auth/logout","method":"post","headers":{"content-length":"859","content-type":"application/x-www-form-urlencoded; charset=UTF-8","host":"w.x.y.z:30603","connection":"Keep-Alive","user-agent":"Apache-HttpClient/4.5.13 (Java/11.0.12)","accept-encoding":"gzip,deflate"},"remoteAddress":"w.x.y.z","userAgent":"w.x.y.z"},"res":{"statusCode":400,"responseTime":17,"contentLength":9},"message":"POST /api/v1/auth/logout 400 17ms - 9.0B"}

This is a major bug in kibana openid_auth authentication. Any ideas on the root cause and how this can be mitigated?

aggarwalShivani commented 3 years ago

Any updates?

aggarwalShivani commented 2 years ago

Any updates on this issue?