Hello @sscarduzio!
I would like to thank you very much for all the help you’ve offered to me through private message.
I have created 2 PR on the documentation with information that missed me during configuration.
- add kibanaExternalHost documentation by pchesneau · Pull Request #80 · beshu-tech/readonlyrest-docs · GitHub
- Feat/oidc additional claims and groups by pchesneau · Pull Request #81 · beshu-tech/readonlyrest-docs · GitHub
Also, If anyone needs to use an OIDC provider only accessible through a proxy, here is my solution
Configure the oidc connector as follow:
readonlyrest_kbn.auth:
signature_key: "${KIBANA_SIGNATURE}"
oidc_kc:
buttonName: "OIDC Keycloak"
type: "oidc"
issuer: "https://${KEYCLOAK_BASE_URL}/<...>"
authorizationURL: "https://${KEYCLOAK_BASE_URL}/<...>"
tokenURL: 'http://127.0.0.1:8083/<...>'
userInfoURL: 'http://127.0.0.1:8083/<...>'
clientID: "${KIBANA_CLIENT_ID}"
clientSecret: "${KIBANA_CLIENT_SECRET}"
scope: 'openid email profile'
usernameParameter: 'name'
groupsParameter: "kibana_roles"
protocol: 'https'
kibanaExternalHost: '$YOUR_EXTERNAL_HOST'
logoutUrl: "https://${KEYCLOAK_BASE_URL}/<...>"
Then,on an accessible host, configure http_proxy and https_proxy, then start a traefik reverse proxy with the following configuration :
traefik.yml:
entryPoints:
web:
address: ":8083"
providers:
file:
filename: "/etc/traefik/dynamic.yml"
/etc/traefik/dynamic.yml
http:
middlewares:
addHostHeaders:
headers:
accessControlAllowHeaders:
- Authorization
accessControlAllowCredentials: true
customRequestHeaders:
Host: '{{env "KEYCLOAK_BASE_URL"}}'
routers:
Router-1:
# By default, routers listen to every entry po
rule: "Host(`127.0.0.1`)"
middlewares: ["addHostHeaders"]
service: "service-1"
services:
service-1:
loadBalancer:
servers:
- url: https://{{env "KEYCLOAK_BASE_URL"}}
It can be on the same host as kibana, in a sidecar…