There was an error in the OIDC connector

aaaa · July 19, 2021, 12:52pm

Hello !

When trying to sign on via an external Keycloak server, I encountered this error: (shown in browser)

There was an error in the OIDC connector oidc_kc2

{“message”:“Unable to verify authorization request state.”}

For more information, consult the kibana logs.

This is displayed AFTER being successfully logged on Keycloak side and when we are redirected on Kibana (http://192.168.0.106:5601/ror_kbn_oidc_kc2)

The logs says:
iul 19 15:30:22 antoine-VirtualBox kibana[8918]: [15:30:22:812] [error][plugins][ReadonlyREST][oidcRouterFactory] oidc_kc2 error: null

This is configuration in Kibana.yml:

oidc_kc2:
  buttonName: "KeyCloak OpenID"
  type: "oidc"
  issuer: "http://[keycloak-url]/auth/realms/[realm-name]"
  authorizationURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/auth'
  tokenURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/token'
  userInfoURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/userinfo'
  clientID: 'ror-iodc'
  clientSecret: '[secret]'
  scope: 'roles'
  usernameParameter: 'preferred_username'
  groupsParameter: 'groups'
  kibanaExternalHost: '192.168.0.106:5601'
  logoutUrl: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/logout'

Could you help me please?

EDIT: We also have this warning:

Cookie “rorCookie_oidc_kc2” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN

sscarduzio · July 20, 2021, 6:32am

Very interesting, there might be some tweaks missing on the cookie side. I believe the fastest way to debug/fix this is right in your environment (because you are certainly able to reproduce it).

You can try adding some cookie optoins in this file:

plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/oidc/oidcRouterFactory.js

Edit the file, and find where it says:

cookie:{maxAge:i}

Now change this to:

cookie:{maxAge:i, sameSite: true, secure: true}

or a combination of other options.

aaaa · July 22, 2021, 2:42pm

Hi again!

Thank you for your answer. Unfortunately, what you proposed didn’t work.

I did a little experiment and ran a Keycloak instance with the same version (9.0.0) as our dev server’s and got the same error. So I think it has something to do with that.

I use Elastic 7.10.2

sscarduzio · July 24, 2021, 7:25am

is this intentional?

sscarduzio · July 24, 2021, 7:26am

Do you have a version of KC that makes this error disappear?

aaaa · August 10, 2021, 8:22am

Yes! Actually I first tried the oidc connection with a local keycloak instance. Version 14.0.0 works fine!

PS: the ‘ror-iodc’ is intentional yes and has nothing to do with the problem

sscarduzio · September 26, 2021, 1:09pm

Please have a try with enabling this option in Keycloak 9.0 ROR OIDC client

OpenID Connect Compatibility Modes
Exclude Session State From Authentication Response : ON

This fixed an error I periodically got with OIDC Kibana connector in ROR Enterprise: {"message":"Unable to verify authorization request state."}

sscarduzio · September 26, 2021, 1:11pm

We also recently sorted the “secure” and “sameSite” situation in ROR cookies in ROR Enterprise 1.35.0, and I would like to send you a pre build in private.