Hello!
ReadOnlyRest entreprise user here, I’m stuck with a problem I’m unable to solve.
What I try to achieve:
Perform Authentication for kibana against OIDC identity provider(in my case keycloak) AND use custom claim in access token to fetch allowed indices .
What I’ve tried so far:
Use oidc support from Ror enterprise to perform authentication : authentication works but I’ve found no solution to grab custom claims from the access token so I was unable to filter out index access.
Add an authentication reverse proxy and forward the access token in Authorization header, then use jwt authentication from Ror.: Authentication and index access filtering works… as long as the first access token is valid. As soon as the access token expires, even though the reverse proxy refreshes it, it seems to not be taken by RoR unless the user goes manually back to /login, which effectively renders this solution useless(especially with an access token expiry set to 5 mn)
After this long situation overview, here comes the questions:
Is my hypothesis correct regarding RoR processing Authorization header only on /login page?
Is there any solution to use the Oidc support from Ror while fetching data from a claim of the access token?
Hello @pchesneau, the scenario is very clearly described, thank you.
Directly to your questions:
The credentials presented in login phase (including the JWT header coming from the auth proxy) is saved in the session object for the whole Kibana session. While on the Elasticsearch side, the credentials are validated on a per-request basis. This is a JWT specific issue (as a form of credentials which is able to expire) ROR Enterprise needs to handle specifically.
Will look into the OIDC issue where the claims are not forwarded and report back.
Thanks a lot @sscarduzio for this lightning fast answer !
As a quick workaround I’ll increase the validity of access token used by kibana.
I’m looking forward to hearing from you about OIDC and custom claims .
If you have any ideas to test about this, please let me know !
The other solution I’ve in mind is to configure the reverse proxy to extract claims from the access token and set them in custom headers, then use header authentication from RoR. However this solution is not really elegant.
Hello @sscarduzio
I’m trying to fetch this for you, however since my last try I’ve migrated to openshift, and it seems that enabling OIDC is not possible when Kibana+RoR is in openshift. I’m unable to correctly set the OIDC callbackURL (it seems to be inferred from the kibana server.host config which, in docker container must be set to “0.0.0.0”)
Hello @sscarduzio I’m unable to respond through direct message (I got an error message) . So here are the required informations: kibana/kibana-oss:7.8.1 + pluginVersion=1.25.0
(on a side note: I’m not the registered user of the plugin; It’s a colleague of mine. If you need some proof of our licensing, just let me know :))
I would like to thank you very much for all the help you’ve offered to me through private message.
I have created 2 PR on the documentation with information that missed me during configuration.