OIDC Error for ElasticSearch

Bug

Description

Running into an issue with elasticsearch-kibana chart v1.27.0-bb.0 when both OIDC (.Values.sso.enabled: true) and Basic Auth (.Values.kibanaBasicAuth.enabled: true) are configured.

Problem: After logging out of an OIDC session, the user lands on the /logged_out page (as expected from the default rp.post_logout_redirect_uri). If they then try to log in using username/password from that page, the basic auth succeeds, but Kibana incorrectly redirects back to /logged_out?state=..., resulting in a 404 payload being displayed.

Debugging: Network trace confirms basic auth POST /internal/security/login returns 200 OK, but the response contains {"location":"/logged_out?state=..."}. Manually going to the base Kibana URL after OIDC logout does allow basic auth to work correctly. It seems specific to initiating basic auth from the /logged_out context.

Workaround: Using a postRenderer patch on the Elasticsearch CR to override rp.post_logout_redirect_uri in the OIDC realm config, changing the target from /logged_out to /login. This avoids the problematic state.(I think, haven't implemented it yet)

Suggestion: Could the default rp.post_logout_redirect_uri generated by the chart's oidc helper template be changed from /logged_out to /login? Or could a value like sso.post_logout_path be added to make this configurable? Seems like /logged_out introduces state issues when immediately switching to basic auth.

ElasticSearch version: 1.27

Big Bang Version: 2.48