2 Factor Authentication

Hello OpenSearch Community!

Does anybody have a clue on the possible options for 2-Factor-Auth with OpenSearch ideally with Google’s 2FA?

It seems to me that I need to deploy some plugin for Dashboards, like:

At this point, I have 2 questions:

  1. Is there any other applicable solution for Opensearch Dashboards 2FA?
  2. Is there any documentation on plugin development for opensearch?

Thank you and have a nice day.

Maybe I misunderstand the question,
But have you tried to configure Google as OpenID authentication in OS?
When this is set up it “should” be straight forward to enable 2FA from Google Cloud Console. Therefore I do not see a need for any additional plugin.
I have previously got it working with google using OpenID and test users, have yet to try MFA, but there is an article here that might help
Maybe I missed some requirement though, let me know

Thank you for your response.
I am deploying OpenSearch on my own infrastructure, not using any AWS or GCP etc. Can I still use Google for authentication? If so, how would I configure Google as OpenID authentication in OS?

I know in OpenDistro people also used Keycloak as authentication provider, but is there a plugin for this for opensearch?

@keks I had it working using local running instance of OS, therefore it’s definitely possible.
The configuration is the same as any other openID config, the part in config.yml would look something like this:

  http_enabled: true
  order: 1
    type: openid
    challenge: true
      openid_connect_url: "https://accounts.google.com/.well-known/openid-configuration"
      subject_key: "name"
      roles_key: "" # can't retrieve roles from Google
     type: noop


opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://accounts.google.com/.well-known/openid-configuration"
opensearch_security.openid.client_id: ".....apps.googleusercontent.com"
opensearch_security.openid.client_secret: "...."
opensearch_security.openid.base_redirect_url: "https://localhost:5601"

Regarding the actual google side, there are various tutorials out there, not sure which one is the most updated one, you will need to have a look.

Hope this helps


Aah, so it is really possible to use some openid connector. Cool cool! So this I cannot do from docker-compose.yml, can I? Instead I should be using the distributions from the opensearch website, am I correct?
Also in your response above you mentioned the config.yml. Is this config from the openid connector, or from opensearch? it is definately not from dashbords, i guess… Sorry for noob questions

@keks You can use docker-compose yes, in fact this is how I had it running.

The config.yml file I mentioned is the security config located in /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ if you are using docker.

Hope this helps