Failing test: X-Pack OpenID Connect API Integration Tests.x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth·js - apis OpenID Connect authentication finishing handshake should succeed if both the OpenID Connect response and the cookie are provided

[kibanamachine]

A test failed on a tracked branch

        Error: expected 302 "Found", got 401 "Unauthorized"
    at Test._assertStatus (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/supertest/lib/test.js:268:12)
    at Test._assertFunction (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/supertest/lib/test.js:283:11)
    at Test.assert (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/supertest/lib/test.js:173:18)
    at assert (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/supertest/lib/test.js:131:12)
    at /var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/supertest/lib/test.js:128:5
    at Test.Request.callback (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/superagent/lib/node/index.js:718:3)
    at parser (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/superagent/lib/node/index.js:906:18)
    at IncomingMessage.res.on (/var/lib/jenkins/workspace/elastic+kibana+7.x/JOB/x-pack-ciGroup6/node/linux-immutable/kibana/node_modules/superagent/lib/node/parsers/json.js:19:7)
    at endReadableNT (_stream_readable.js:1103:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)
      

First failure: Jenkins Build

[elasticmachine]

Pinging @elastic/kibana-test-triage

[kibanamachine]

New failure: Jenkins Build

[elasticmachine]

Pinging @elastic/kibana-security

[spalger]

This has only failed 3 times in the last month (including PRs), but I think we should try to figure out how this is happening

[azasypkin]

Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: TimeoutException[Connection lease request time out];)

It seems Elasticsearch can't get token from an endpoint that is exposed by our test Kibana plugin for some reason, I wasn't able to reproduce, but I'll keep trying.

Just in case (since we still use ES from Aug 15th) - @jkakavas was there any ES OIDC issue that was fixed after Aug 15 and could have been the reason why ES couldn't retrieve token in exchange to authorization code?

[jkakavas]

Just in case (since we still use ES from Aug 15th) - @jkakavas was there any ES OIDC issue that was fixed after Aug 15 and could have been the reason why ES couldn't retrieve token in exchange to authorization code?

Nope... Is maybe something wrong with the dummy endpoint in Kibana (are there any logs that ES accessed that ) or could it be that ES is configured with the wrong URL for token endpoint ?

[azasypkin]

Nope... Is maybe something wrong with the dummy endpoint in Kibana (are there any logs that ES accessed that ) or could it be that ES is configured with the wrong URL for token endpoint ?

Thanks for confirming. Yeah, likely something wrong with this test endpoint then, no logs there unfortunately. I'll see if I can reproduce.

could it be that ES is configured with the wrong URL for token endpoint ?

Unlikely, it fails intermittently, just 3 times in a month.

[azasypkin]

Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: TimeoutException[Connection lease request time out];)

Well, now I'm wondering what this Connection lease request time out means. I see different errors when Kibana test endpoint either a) fails/doesn't exist or b) hangs/never returns:

a)

Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint. Unable to parse Token Response]; nested: ParseException[Missing JSON object member with key "token_type"];)

b)

Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: SocketTimeoutException[5,000 milliseconds timeout on connection http-outgoing-2 [ACTIVE]];)

[azasypkin]

Ioannis recommended to try to increase ES HTTP client timeout settings and see if it helps:

• xpack.security.authc.realms.oidc.oidc1.http.connect_timeout
  and/or
• xpack.security.authc.realms.oidc.oidc1.http.connection_read_timeout

I'm going to wait and see if this issue comes up again and then try to increase these timeouts, locally I couldn't reproduce it even with very low timeout settings....

[spalger]

Just had this fail in a PR

[azasypkin]

Thanks for reporting, so I'll try to increase timeouts and see if it helps.

[soumendrak]

I am getting the point a) issue. Is there any way to resolve that? Increasing the timeout value did not help.

a)
Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused >by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint. >Unable to parse Token Response]; nested: ParseException[Missing JSON object member with key ">token_type"];)

[jkakavas]

Hi @soumendrak , please do not hijack threads. This github issue is specifically for the CI tests of Kibana. Please ask your user question in the forums, we have a very active community there and someone will hopefully assist you get your configuration in order.

[kibanamachine]

New failure: Jenkins Build

[azasypkin]

Okay, it's been a month since last failure, closing for now. We'll see if it fails with the most recent ES versions when we switch to them.

[kibanamachine]

New failure: Jenkins Build

[spalger]

Getting the same 401 somewhat randomly

https://kibana-ci.elastic.co/job/elastic+kibana+7.x/3444/testReport/X-Pack%20OpenID%20Connect%20API%20Integration%20Tests/x-pack_test_oidc_api_integration_apis_authorization_code_flow_oidc_auth%C2%B7js/Kibana_Pipeline___kibana_xpack_agent___apis_OpenID_Connect_authentication_finishing_handshake_should_succeed_if_both_the_OpenID_Connect_response_and_the_cookie_are_provided/

Error: expected 302 "Found", got 401 "Unauthorized"
    at Test._assertStatus (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:268:12)
    at Test._assertFunction (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:283:11)
    at Test.assert (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:173:18)
    at assert (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:131:12)
    at /dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:128:5
    at Test.Request.callback (/dev/shm/workspace/kibana/node_modules/superagent/lib/node/index.js:718:3)
    at parser (/dev/shm/workspace/kibana/node_modules/superagent/lib/node/index.js:906:18)
    at IncomingMessage.res.on (/dev/shm/workspace/kibana/node_modules/superagent/lib/node/parsers/json.js:19:7)
    at endReadableNT (_stream_readable.js:1145:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)

[00:00:00]       │
[00:00:00]         └-: apis
[00:00:00]           └-> "before all" hook
[00:00:00]           └-: OpenID Connect authentication
[00:00:00]             └-> "before all" hook
[00:00:00]             └-> should reject API requests if client is not authenticated
[00:00:00]               └-> "before each" hook: global before each
[00:00:00]               └- ✓ pass  (101ms) "apis OpenID Connect authentication should reject API requests if client is not authenticated"
[00:00:00]             └-: initiating handshake
[00:00:00]               └-> "before all" hook
[00:00:00]             └-: finishing handshake
[00:00:00]               └-> "before all" hook
[00:00:00]               └-> should fail if OpenID Connect response is not complemented with handshake cookie
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 └-> "before each" hook
[00:00:00]                 └- ✓ pass  (73ms) "apis OpenID Connect authentication finishing handshake should fail if OpenID Connect response is not complemented with handshake cookie"
[00:00:00]               └-> should fail if state is not matching
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 └-> "before each" hook
[00:00:00]                 │ info [o.e.x.s.a.AuthenticationService] [kibana-ci-immutable-ubuntu-16-tests-xl-1583520435318159677] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Invalid state parameter [someothervalue], while [B4OkYr04qDIlRqZ4tHuITus4RzDA9n3w6SPlrADKTJU] was expected])
[00:00:00]                 └- ✓ pass  (117ms) "apis OpenID Connect authentication finishing handshake should fail if state is not matching"
[00:00:00]               └-> should succeed if both the OpenID Connect response and the cookie are provided
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 └-> "before each" hook
[00:00:00]                 │ info [o.e.x.s.a.AuthenticationService] [kibana-ci-immutable-ubuntu-16-tests-xl-1583520435318159677] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: TimeoutException[Connection lease request time out];)
[00:00:00]                 └- ✖ fail: "apis OpenID Connect authentication finishing handshake should succeed if both the OpenID Connect response and the cookie are provided"
[00:00:00]                 │

[azasypkin]

I haven't succeeded in reproducing this issue this time as well... There is a chance it may be related to some of the token related issues we're going to fix soon, let's see.

I'm closing this for now as we haven't seen any failed builds since March 6th.

[kibanamachine]

New failure: Jenkins Build

[azasypkin]

Haha, that's a destiny 🙂

[legrego]

You couldn't have planned that any better 😆

[azasypkin]

29 days without failure, I'll give it one week more this time 🤞

[jkakavas]

🤞

[spalger]

To be clear, this is mostly failing in PRs which aren't reported on issues, 6 failures in the last 60 days:

[azasypkin]

To be clear, this is mostly failing in PRs which aren't reported on issues, 6 failures in the last 60 days:

Aha, good to know, thanks. Let me track that there then. I still hope it will be automagically fixed some day 🙂

[azasypkin]

Flaky test runner: https://kibana-ci.elastic.co/job/kibana+flaky-test-suite-runner/1407/

[azasypkin]

Flaky test runner passed with no failures, closing.