Unable to login with OIDC provider (RoR1.37.0)

Hello!

ReadonlyEnterprise user here. I’m facing an issue with RoR 1.37.0 on Kibana 7.16.3 with OIDC provider.

When I try to log in, everything goes well until the redirection to /ror_kbn_oidc_kc/callback
This page displays the following error :

 There was an error in the OIDC connector oidc_kc

{"message":"Unable to verify authorization request state."}

For more information, consult the kibana logs.

In the logs, nothing more than this error. (even in trace mode!)

After digging around I discovered that :

  • The issue is prior to the Kibana → Keycloak call used to obtain token (no call to /token or /userinfo)
  • This seem to be related to a missing cookie, because, when I try on my old kibana+ RoR +OIDC integration I see a cookie called rorCookie_oidc_kc created upon landing on /login-ep. This cookie is not created on the /login-ep on RoR 1.37.0.

Any idea what’s going on ?

Hello @pchesneau

Thanks for your message. I’m trying to reproduce this issue. I will need additional information

  1. The above message is something the user can see directly after login via oidc ? I’m asking because AFAIK the above message you pasted is something you can see after refreshing the initial oidc error.

  2. Could you provide your kibana.yml config? (if you want, you can send it via private message or email)

Hello!

Yes, it is the first message the user sees when he tries to log in using OIDC.

I’ll send you my kibana.yml through PM.

Regards,

Hello @Dzuming , I’ve done some more investigation, and I think I found something interesting.

My setup is based on Openshift, and the SSL part is delegated to Openshift router.
My setup is as follow :
End-User Browser <- HTTPS -> Openshift Router <- HTTP -> Kibana.

It seems that the cookie is somehow removed in the second part of the routing (openshift <-> Kibana), due to the secure flag set on it.

I had a look into the documentation of passport, which I know you’re using, based on the node_module folder; as well as on StackOverflow.
It gaves me the following trail Node.js express-session what does the proxy option do? - Stack Overflow .

Express-session has a specific flag for this situation called “proxy”, which allows express to trust secure proxy forwarded by non https connection, (especially for setup like mine with a reverse proxy).

Is it possible to configure this flag in ReadOnlyRest?

Regards

1 Like

Hi @pchesneau,
I know @Dzuming is working on a build for fixing this for you. Please let us know in the thread when you get to a solution :slight_smile:

1 Like

I sent the pre-release build in a private message :slight_smile:

2 Likes

Thanks a lot I’ll try this and keep you updated!

1 Like

Hello!

Just deployed the pre-release on my staging environment. It works :white_check_mark: like a charm!

Thanks a lot @Dzuming !

Dear google user, if you are in the same situation as me, beware when upgrading to latest version (1.40+) of ReadonlyRest, you may have to update RoR oidc configuration. Check the documentation !

1 Like

Hello !
Do you have any (rough) estimate for the release date of RoR 1.40? (It is just for planning purposes on my side, so don’t rush things on your side).

Unless very urgent fixes are due, we are trying to stick to monthly releases nowadays. So I’d say we’re at least 3 weeks away from a release at the moment.

1 Like

Thanks for your quick reply ! I’ll plan on my side accordingly .

1 Like

Sorry to come back,
however I’ve discovered a strange things, with the 1.40-pre you sent to me, it seems that the {jwt:assertion.xxx} is not working anymore when working on OIDC :

The logs states the following :

[16:25:07:784] [debug][plugins][ReadonlyREST][oidcRouterFactory] Obtained raw profile: {"logmanagement":{"kibana":{"indices":["REDACTED","REDACTED","REDACTED"]}},"sub":"07699444-6022-4d22-be7c-62225d557dab","email_verified":true,"kibana_roles":["Personal Workspace User","Integrators"],"name":"User Name","preferred_username":"login","given_name":"User Name ","family_name":"NAME","email":"[email protected]"}
[16:25:07:784] [debug][plugins][ReadonlyREST][oidcController] Obtained user name from profile: User Name
[16:25:07:784] [debug][plugins][ReadonlyREST][oidcController] Obtained groups from profile: Personal Workspace User,Integrators
[16:25:07:785] [debug][plugins][ReadonlyREST][oidcController] Created JWT for ROR with claims: {"user":"User Name","groups":["Personal Workspace User","Integrators"],"assertion":{},"x-ror-origin":"oidc_kc"}

The “assertion” field, built from the profile is empty!

1 Like

Hey @pchesneau, good catch. You are always welcome to come back :grin:!

@Dzuming this fix needs to be in the next stable release, it’s very useful and Enterprise customers use it a lot.

1 Like

btw, I’ve done some investigation, I suspect this is a leftover from the migration to openid-client.
The old library used to contain a “_json” field with the raw token from OIDC provider, whereas openid-client does not alter in any way the token (hence to obtain the raw token, we can simply use the token provided by the library).
Hope it helps!

1 Like

Thanks @pchesneau, you will soon receive a build. :slight_smile:

1 Like