Configuring OIDC with Elasticsearch

[vikasmishra17]

Elasticsearch Version

8.3.0

Installed Plugins

No response

Java Version

bundled

OS Version

Linux hostname 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Problem Description

We are trying to configure Elasticsearch with OIDC for single sign on (SSO), But we are facing an error. "Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect" Please refer to the logs pasted for better understanding.

Its strange behaviour I am noticing that elastic is able to login via OIDC sometime, and sometime it is failing. Even in the same node we are experiencing this behaviour, once it is getting logged in and once its not. We have checked the configurations and certificate everywhere and its correct everywhere.

In the Kibana UI we are getting "we hit an authentication error please check your credentials and try again. if you still cannot login contact your system administrator."

Steps to Reproduce

We have checked the configurations and certificate everywhere and its correct everywhere.

NOTE : It is getting succeed and failed from the same node.

Logs (if relevant)

success logs

[2022-11-17T17:09:29,288][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [warm-data-5] OpenID Connect Provider redirected user to [/api/security/oidc/callback?code=25ce04af-e88b-36b0-a612-fd0cf4e8999d&state=5faibeqMuD3fXQVzIv6hmIhy6yhpBspH3t1ZYNwHrdc&session_state=09f92c2b00fdb86f5488dda004a14dc013fe6d3b043a3214b4028856213c3a4d.W0uSQuu2zNkqKhsmsMZkSg]. Expected Nonce is [SfVsoNwdX-cxMv9vvQaTSdfGEo8Bu6DKOpoX0iySZi4] and expected State is [5faibeqMuD3fXQVzIv6hmIhy6yhpBspH3t1ZYNwHrdc]
[2022-11-17T17:09:29,929][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [warm-data-5] Successfully exchanged code for ID Token [com.nimbusds.jwt.SignedJWT@13a42d24] and Access Token [9c***1b]
[2022-11-17T17:09:29,930][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [warm-data-5] Received and validated the Id Token for the user: [{"at_hash":"DL4sG9VSYpEvKRiSR5RLyA","aud":"fnI37XbbXg8QIZGb1TfUjH47JzYa","c_hash":"FFRygB1ZQi-pYexbs5s4lw","sub":"usermail","nbf":1668685169,"azp":"fnI37XbbXg8QIZGb1TfUjH47JzYa","amr":["BasicAuthenticator"],"iss":"https:\/\/sso.uidai.net.in\/oauth2\/token","groups":["IAM Audit Logs"],"exp":1668688769,"iat":1668685169,"nonce":"SfVsoNwdX-cxMv9vvQaTSdfGEo8Bu6DKOpoX0iySZi4"}]
[2022-11-17T17:09:29,999][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [warm-data-5] Received UserInfo Response from OP with status [200] and content [{"sub":"usermail"}]
[2022-11-17T17:09:29,999][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [warm-data-5] Successfully retrieved user information: [{"sub":"usermail"}]

Failure logs

[2022-11-17T17:11:10,738][TRACE][o.e.x.s.a.o.OpenIdConnectAuthenticator] [warm-data-3] OpenID Connect Provider redirected user to [/api/security/oidc/callback?code=3c1e2056-4c23-39be-ab74-d5ee7d14389c&state=0N2koQX1AtnRRh8sRTPG4bX_5z-s52IvN6Ez6iHOqLQ&session_state=6220e1035991984b3ad92601db1f016bf2c73e0dbee31e09349bdaa5443dd6bf.XP8Kbdz-luo8v939PVmHEw]. Expected Nonce is [8HLJACf2Yep-AaOjtxLXKYtVbn5Grpx0gsh8MgtBe6k] and expected State is [0N2koQX1AtnRRh8sRTPG4bX_5z-s52IvN6Ez6iHOqLQ]
[2022-11-17T17:11:15,768][DEBUG][o.e.x.s.a.o.OpenIdConnectRealm] [warm-data-3] Failed to consume the OpenIdConnectToken
org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token using the Token Endpoint.
at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator$2.failed(OpenIdConnectAuthenticator.java:583) [x-pack-security-8.3.0.jar:?]
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137) [httpcore-4.4.12.jar:?]
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101) [httpasyncclient-4.1.4.jar:?]

at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426) [httpasyncclient-4.1.4.jar:?]
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.timeout(HttpAsyncRequestExecutor.java:387) [httpcore-nio-
```4.4.12.jar:?]
at org.apache.http.impl.nio.client.InternalIODispatch.onTimeout(InternalIODispatch.java:92) [httpasyncclient-4.1.4.jar:?]
at org.apache.http.impl.nio.client.InternalIODispatch.onTimeout(InternalIODispatch.java:39) [httpasyncclient-4.1.4.jar:?]
at org.apache.http.impl.nio.reactor.AbstractIODispatch.timeout(AbstractIODispatch.java:175) [httpcore-nio-4.4.12.jar:?]
at org.apache.http.impl.nio.reactor.BaseIOReactor.sessionTimedOut(BaseIOReactor.java:261) [httpcore-nio-4.4.12.jar:?]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.timeoutCheck(AbstractIOReactor.java:502) [httpcore-nio-4.4.12.jar:?]
at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:211) [httpcore-nio-4.4.12.jar:?]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280) [httpcore-nio-4.4.12.jar:?]
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.12.jar:?]
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) [httpcore-nio-4.4.12.jar:?]
at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: java.net.SocketTimeoutException: 5,000 milliseconds timeout on connection http-outgoing-6 [ACTIVE]
… 11 more
[2022-11-17T17:11:15,770][WARN ][o.e.x.s.a.RealmsAuthenticator] [warm-data-3] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token using the Token Endpoint.)

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[ywangd]

@vikasmishra17
Thanks very much for your interest in Elasticsearch.

This appears to be a user question, and we'd like to direct these kinds of things to the Elasticsearch forum. If you can stop by there, we'd appreciate it. This allows us to use GitHub for verified bug reports, feature requests, and pull requests.

There's an active community in the forum that should be able to help get an answer to your question.

In addition, it seems that you have posted the same question in a different GitHub issue and an answer is already provided #75515 (comment)

As such, I hope you don't mind that I close this.