Hello,
I’m running into an issue with OIDC authentication after upgrading my stack and would appreciate any guidance.
Current setup (working previously):
-
ELK & Kibana: 8.6
-
ReadonlyREST (ROR): 1.67
-
OIDC authentication working as expected
Upgraded setup (problematic):
-
ELK & Kibana: 8.19.12
-
ROR: 1.69.1
After the upgrade, I’m no longer able to authenticate via OIDC in Kibana.
Relevant Kibana logs:
[2026-04-21T15:33:13.970+00:00][debug][plugins][ReadonlyREST][oidcRouterFactory] Obtained raw profile: {"sub":"abcd1234"}
[2026-04-21T15:33:13.970+00:00][debug][plugins][ReadonlyREST][oidcController] Obtained user name from profile: abcd1234
[2026-04-21T15:33:13.970+00:00][debug][plugins][ReadonlyREST][oidcController] Obtained groups from profile:
[2026-04-21T15:33:13.970+00:00][debug][plugins][ReadonlyREST][oidcController] Created JWT for ROR with claims: {"user":"abcd1234","groups":[],"assertion":{"sub":"abcd1234"},"x-ror-origin":"oidc_kc"}
Observations:
-
The
subclaim is correctly retrieved (abcd1234, which is my identifier). -
Username is correctly extracted.
-
However, groups are empty, which seems to be causing authorization/authentication failure.
-
JWT is created but contains
"groups":[]. -
I am not using authorization groups with my IdP
-
I am using ECK
-
I am able to authenticate using basic auth
Questions:
-
Has there been any change in how ROR 1.69.1 handles OIDC group extraction compared to 1.67?
-
Do I need to explicitly configure a groups claim mapping in the newer version?
-
Could this be related to a change in default claim names or required settings in Kibana/Elasticsearch 8.19?
-
Are there any additional debug steps I should take to verify what is being returned by the IdP?
Here is my ROR config:
readonlyrest:
prompt_for_basic_auth: false
access_control_rules:
- name: "Kibana Service Account"
token_authentication:
token: "Bearer ${KIBANA_SERVICE_ACCOUNT_TOKEN}"
username: "service_account"
- name: "ELASTIC-INTERNAL"
auth_key: "elastic-internal:${INTERNAL_USR_PASS}"
- name: "ELASTIC INTERNAL PROBE"
type: "allow"
auth_key: "elastic-internal-probe:${INTERNAL_PROBE_PASS}"
- name: "Full Admin Kibana"
groups: ["full-admin"]
indices: ["*"]
kibana_access: "admin"
- name: "Full Admin Users"
groups: ["full-admin"]
indices: ["*"]
actions: ["*"]
- name: "Client Admin Group Kibana"
groups: ["client_admin"]
indices: ["kibana_client_admin", "*"]
kibana_access: "rw"
kibana_index: "kibana_client_admin"
- name: "Client Admin Group 0"
groups: ["client_admin"]
indices: ["*"]
actions: ["*"]
users:
- username: "fulladmin"
groups: ["full-admin"]
auth_key_sha256: "<auth_key_string"
- username: "abcd1234"
groups: ["client_admin"]
ror_kbn_auth:
name: "kbn1"
ror_kbn:
- name: "kbn1"
signature_key: "<string_containing_my_signature_key"