^{Originally posted by olsib September 24, 2025}

Describe the bug

Kiali OpenID Connect fails with 401 Unauthorized when fetching Okta metadata

Expected Behavior

Kiali to auth and login successfully via OKTA

Environment

Learn about how to determine versions here.

• Kiali Version: v2.16.0 (Commit: 6bf48d2)
• Deployment: Kubernetes (EKS)
• Identity Provider: Okta
• Authentication Strategy: openid

Configuration Used (Following Official Docs)

auth:
  openid:
    client_id: "REDACTED"
    disable_rbac: true
    authorization_endpoint: "https://your-tenant.okta.com/oauth2/default/v1/authorize"
    issuer_uri: "https://your-tenant.okta.com/oauth2/default"
    scopes: ["openid", "email", "profile"]
    username_claim: "email"
  strategy: "openid"

Observed Behavior

Error Logs

2025-09-24T13:44:50Z WRN Could not read the session: session not found: cookie kiali-token-Kubernetes does not exist in request
2025-09-24T13:44:50Z DBG Unable to validate session: session not found: cookie kiali-token-Kubernetes does not exist in request
2025-09-24T13:44:51Z WRN Error when fetching OpenID provider's metadata: cannot fetch OpenId Metadata (HTTP response status = 401 Unauthorized)
2025-09-24T13:44:53Z DBG Not handling OpenId code flow authentication: no authorization code is present

User Experience

• Users can access the Kiali web interface (HTTP 200 OK)
• React application loads successfully, but redirects immediately to https://website/kiali/api/auth/openid_redirect
• Web page displays error: "Cannot start authentication because it is not possible to use OpenId's authorization code flow. Check Kiali logs for more details."
• Authentication completely non-functional

Troubleshooting Performed

Verified Configuration

• ✅ Client ID is correct and properly configured
• ✅ Client secret properly mounted via Kubernetes secret
• ✅ Endpoints configured according to documentation
• ✅ Network connectivity confirmed (DNS resolution works, HTTPS responses received)