There was an error in the OIDC connector

Hello !

When trying to sign on via an external Keycloak server, I encountered this error: (shown in browser)

There was an error in the OIDC connector oidc_kc2

{“message”:“Unable to verify authorization request state.”}

For more information, consult the kibana logs.

This is displayed AFTER being successfully logged on Keycloak side and when we are redirected on Kibana (http://192.168.0.106:5601/ror_kbn_oidc_kc2)

The logs says:
iul 19 15:30:22 antoine-VirtualBox kibana[8918]: [15:30:22:812] [error][plugins][ReadonlyREST][oidcRouterFactory] oidc_kc2 error: null

This is configuration in Kibana.yml:

oidc_kc2:
  buttonName: "KeyCloak OpenID"
  type: "oidc"
  issuer: "http://[keycloak-url]/auth/realms/[realm-name]"
  authorizationURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/auth'
  tokenURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/token'
  userInfoURL: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/userinfo'
  clientID: 'ror-iodc'
  clientSecret: '[secret]'
  scope: 'roles'
  usernameParameter: 'preferred_username'
  groupsParameter: 'groups'
  kibanaExternalHost: '192.168.0.106:5601'
  logoutUrl: 'http://[keycloak-url]/auth/realms/[realm-name]/protocol/openid-connect/logout'

Could you help me please? :slight_smile:

EDIT: We also have this warning:

Cookie “rorCookie_oidc_kc2” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Very interesting, there might be some tweaks missing on the cookie side. I believe the fastest way to debug/fix this is right in your environment (because you are certainly able to reproduce it).

You can try adding some cookie optoins in this file:

plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/oidc/oidcRouterFactory.js

Edit the file, and find where it says:

cookie:{maxAge:i}

Now change this to:

cookie:{maxAge:i, sameSite: true, secure: true}

or a combination of other options.

Hi again!

Thank you for your answer. Unfortunately, what you proposed didn’t work.

I did a little experiment and ran a Keycloak instance with the same version (9.0.0) as our dev server’s and got the same error. So I think it has something to do with that.

I use Elastic 7.10.2