ReadonlyEnterprise user here. I’m facing an issue with RoR 1.37.0 on Kibana 7.16.3 with OIDC provider.
When I try to log in, everything goes well until the redirection to /ror_kbn_oidc_kc/callback
This page displays the following error :
There was an error in the OIDC connector oidc_kc
{"message":"Unable to verify authorization request state."}
For more information, consult the kibana logs.
In the logs, nothing more than this error. (even in trace mode!)
After digging around I discovered that :
The issue is prior to the Kibana → Keycloak call used to obtain token (no call to /token or /userinfo)
This seem to be related to a missing cookie, because, when I try on my old kibana+ RoR +OIDC integration I see a cookie called rorCookie_oidc_kc created upon landing on /login-ep. This cookie is not created on the /login-ep on RoR 1.37.0.
Thanks for your message. I’m trying to reproduce this issue. I will need additional information
The above message is something the user can see directly after login via oidc ? I’m asking because AFAIK the above message you pasted is something you can see after refreshing the initial oidc error.
Could you provide your kibana.yml config? (if you want, you can send it via private message or email)
Hello @Dzuming , I’ve done some more investigation, and I think I found something interesting.
My setup is based on Openshift, and the SSL part is delegated to Openshift router.
My setup is as follow : End-User Browser <- HTTPS -> Openshift Router <- HTTP -> Kibana.
It seems that the cookie is somehow removed in the second part of the routing (openshift <-> Kibana), due to the secure flag set on it.
Express-session has a specific flag for this situation called “proxy”, which allows express to trust secure proxy forwarded by non https connection, (especially for setup like mine with a reverse proxy).
Is it possible to configure this flag in ReadOnlyRest?
Dear google user, if you are in the same situation as me, beware when upgrading to latest version (1.40+) of ReadonlyRest, you may have to update RoR oidc configuration. Check the documentation !
Hello !
Do you have any (rough) estimate for the release date of RoR 1.40? (It is just for planning purposes on my side, so don’t rush things on your side).
Unless very urgent fixes are due, we are trying to stick to monthly releases nowadays. So I’d say we’re at least 3 weeks away from a release at the moment.
Sorry to come back,
however I’ve discovered a strange things, with the 1.40-pre you sent to me, it seems that the {jwt:assertion.xxx} is not working anymore when working on OIDC :
The logs states the following :
[16:25:07:784] [debug][plugins][ReadonlyREST][oidcRouterFactory] Obtained raw profile: {"logmanagement":{"kibana":{"indices":["REDACTED","REDACTED","REDACTED"]}},"sub":"07699444-6022-4d22-be7c-62225d557dab","email_verified":true,"kibana_roles":["Personal Workspace User","Integrators"],"name":"User Name","preferred_username":"login","given_name":"User Name ","family_name":"NAME","email":"somebody@somewhere.com"}
[16:25:07:784] [debug][plugins][ReadonlyREST][oidcController] Obtained user name from profile: User Name
[16:25:07:784] [debug][plugins][ReadonlyREST][oidcController] Obtained groups from profile: Personal Workspace User,Integrators
[16:25:07:785] [debug][plugins][ReadonlyREST][oidcController] Created JWT for ROR with claims: {"user":"User Name","groups":["Personal Workspace User","Integrators"],"assertion":{},"x-ror-origin":"oidc_kc"}
The “assertion” field, built from the profile is empty!
btw, I’ve done some investigation, I suspect this is a leftover from the migration to openid-client.
The old library used to contain a “_json” field with the raw token from OIDC provider, whereas openid-client does not alter in any way the token (hence to obtain the raw token, we can simply use the token provided by the library).
Hope it helps!