There was an error in the OIDC connector

Hello !

When trying to sign on via an external Keycloak server, I encountered this error: (shown in browser)

There was an error in the OIDC connector oidc_kc2

{“message”:“Unable to verify authorization request state.”}

For more information, consult the kibana logs.

This is displayed AFTER being successfully logged on Keycloak side and when we are redirected on Kibana (

The logs says:
iul 19 15:30:22 antoine-VirtualBox kibana[8918]: [15:30:22:812] [error][plugins][ReadonlyREST][oidcRouterFactory] oidc_kc2 error: null

This is configuration in Kibana.yml:

  buttonName: "KeyCloak OpenID"
  type: "oidc"
  issuer: "http://[keycloak-url]/auth/realms/[realm-name]"
  authorizationURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/auth'
  tokenURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/token'
  userInfoURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/userinfo'
  clientID: 'ror-iodc'
  clientSecret: '[secret]'
  scope: 'roles'
  usernameParameter: 'preferred_username'
  groupsParameter: 'groups'
  kibanaExternalHost: ''
  logoutUrl: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/logout'

Could you help me please? :slight_smile:

EDIT: We also have this warning:

Cookie “rorCookie_oidc_kc2” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read

Very interesting, there might be some tweaks missing on the cookie side. I believe the fastest way to debug/fix this is right in your environment (because you are certainly able to reproduce it).

You can try adding some cookie optoins in this file:


Edit the file, and find where it says:


Now change this to:

cookie:{maxAge:i, sameSite: true, secure: true}

or a combination of other options.

Hi again!

Thank you for your answer. Unfortunately, what you proposed didn’t work.

I did a little experiment and ran a Keycloak instance with the same version (9.0.0) as our dev server’s and got the same error. So I think it has something to do with that.

I use Elastic 7.10.2