Briefly, this error occurs when Elasticsearch receives an invalid access token type during an authentication process. It’s expecting a “Bearer” token type, but it’s getting something different. To resolve this issue, you can check the token type you’re sending in your request. Ensure it’s a “Bearer” token. Also, verify that the token is correctly formatted and hasn’t expired. If you’re using an API client, check its configuration to ensure it’s set to use “Bearer” tokens for authentication.
This guide will help you check for common problems that cause the log ” Invalid access token type [{}]; while [Bearer] was expected ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “Invalid access token type [{}]; while [Bearer] was expected” class name is OpenIdConnectAuthenticator.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
rpConfig.getResponseType().equals(ResponseType.parse("code"))) {
assert (accessToken != null) : "Access Token cannot be null for Response Type " + rpConfig.getResponseType().toString();
final boolean isValidationOptional = rpConfig.getResponseType().equals(ResponseType.parse("code"));
// only "Bearer" is defined in the specification but check just in case
if (accessToken.getType().toString().equals("Bearer") == false) {
throw new ElasticsearchSecurityException("Invalid access token type [{}]; while [Bearer] was expected";
accessToken.getType());
}
String atHashValue = idToken.getJWTClaimsSet().getStringClaim("at_hash");
if (Strings.hasText(atHashValue) == false) {
if (isValidationOptional == false) {
