There was an error in the OIDC connector

Hello !

When trying to sign on via an external Keycloak server, I encountered this error: (shown in browser)

There was an error in the OIDC connector oidc_kc2

{“message”:“Unable to verify authorization request state.”}

For more information, consult the kibana logs.

This is displayed AFTER being successfully logged on Keycloak side and when we are redirected on Kibana (

The logs says:
iul 19 15:30:22 antoine-VirtualBox kibana[8918]: [15:30:22:812] [error][plugins][ReadonlyREST][oidcRouterFactory] oidc_kc2 error: null

This is configuration in Kibana.yml:

  buttonName: "KeyCloak OpenID"
  type: "oidc"
  issuer: "http://[keycloak-url]/auth/realms/[realm-name]"
  authorizationURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/auth'
  tokenURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/token'
  userInfoURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/userinfo'
  clientID: 'ror-iodc'
  clientSecret: '[secret]'
  scope: 'roles'
  usernameParameter: 'preferred_username'
  groupsParameter: 'groups'
  kibanaExternalHost: ''
  logoutUrl: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/logout'

Could you help me please? :slight_smile:

EDIT: We also have this warning:

Cookie “rorCookie_oidc_kc2” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read

Very interesting, there might be some tweaks missing on the cookie side. I believe the fastest way to debug/fix this is right in your environment (because you are certainly able to reproduce it).

You can try adding some cookie optoins in this file:


Edit the file, and find where it says:


Now change this to:

cookie:{maxAge:i, sameSite: true, secure: true}

or a combination of other options.

Hi again!

Thank you for your answer. Unfortunately, what you proposed didn’t work.

I did a little experiment and ran a Keycloak instance with the same version (9.0.0) as our dev server’s and got the same error. So I think it has something to do with that.

I use Elastic 7.10.2

is this intentional?

Do you have a version of KC that makes this error disappear?

Yes! Actually I first tried the oidc connection with a local keycloak instance. Version 14.0.0 works fine!

PS: the ‘ror-iodc’ is intentional yes and has nothing to do with the problem

Please have a try with enabling this option in Keycloak 9.0 ROR OIDC client


OpenID Connect Compatibility Modes
Exclude Session State From Authentication Response : ON

This fixed an error I periodically got with OIDC Kibana connector in ROR Enterprise: {"message":"Unable to verify authorization request state."}

We also recently sorted the “secure” and “sameSite” situation in ROR cookies in ROR Enterprise 1.35.0, and I would like to send you a pre build in private.