BadCredentialsException when using Openid with Azure

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch-dashboards helm chart 2.6.0
opensearch helm chart 2.8.0

Describe the issue:
When configuring Azure as a IdP for OIDC I get a BadCredentialsException (see below)

and in the browser it says ‘{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}’

To Reproduce
Steps to reproduce the behavior:

  1. configure openid in plugins/opensearch-security/securityconfig/config.yml
  2. configure openid in config/opensearch_dashboard.yml as described at OpenID Connect - OpenSearch documentation
  3. run plugins/opensearch-security/tools/
  4. open dashboard site in browser


          enabled: true
            preferred: ['Global', 'Private']
        readonly_mode.roles: ['kibana_read_only']
          type: "openid"
          client_id: <myid>
          client_secret: <mysecret>
          root_ca: /etc/ssl/certs/ca-certificates.crt
          base_redirect_url: https://myserver
          scope: openid profile email
        http_enabled: true
        transport_enabled: false
        order: 2
          type: openid
          challenge: false
            subject_key: email
            # roles_key: roles
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /etc/ssl/certs/ca-certificates.crt
          type: noop

Relevant Logs or Screenshots:

[2022-11-23T15:31:32,591][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
Wed, Nov 23 2022 4:31:32 pm | [2022-11-23T15:31:32,593][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-cluster-master-1] Extracting JWT token from eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.<mytoken>.M5418NxLO5eA0cEYIoID-hzRJ6XcTZQJoMNEMzl_2sGOGYurN8FOIOgSedpm5cG6dQIsRoMMYS0GVvUvglxurU5J0TnJ7eCNN_1hfQ0TaHvGkDxX97HTm8bN1XGQrj8a0fjY8-f46H33HpT1OrRL-rM4vxYPIpg_8QfgllyB2Yh4-RDINSCgHiNgD7uH8Bk4pNzD4Y-mDb5xQdxFj0u2rEMqeKVCI_VaiIa-8i0C01xP_tpVRyX_fojfUcUE-7vUx-dy7mOYySSJM_UFBslvs2FCO7GEe6hwohVV18wmQXuh19cu0jpdTuW4XrGCiiyB4mo7qMlP674fdR3vYuACqA failed
Wed, Nov 23 2022 4:31:32 pm | Algorithm of JWT does not match algorithm of JWK (HS512 != RS256)
Wed, Nov 23 2022 4:31:32 pm | at ~[opensearch-security-]

@domruf You don’t need pemtrustedcas_filepath in the config.yml. This is useful when you use IDP with a self-signed certificate. Azure is using certificates signed by the external CA.

You can drop this section when you use Azure as IDP.

              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /etc/ssl/certs/ca-certificates.crt

Also, you don’t need root_ca: /etc/ssl/certs/ca-certificates.crt in opensearch_dashboards.yml.

@pablo Well yes, in my current environment i could. But I also have situations where a proxy with deep packet inspection is required. I believe in those cases I’d need pemtrustedcas_filepath to trust the proxy’s certificate.
Anyways it does not hurt either and AFAIS has nothing to do with the ‘JWK (HS512 != RS256)’ problem.

@pablo You were right after all. Since I mounted my own /etc/ssl/certs/ca-certificates.crt, this interfered with /etc/pki/tls/certs/ca-bundle.crt. And since basically all custom files must be placed in the config folder my ca-certificates.crt was not properly read as well.

I still have some problems with OIDC (this time 400 responses) but that is a new problem.

@domruf I’ve tried to get Opensearch 2.x working with Azure OpenID but no luck. I get 401.
However, I used exactly the same configuration with 1.2 and 1.3 and it worked. It seems that either I’m missing some configuration or there is a bug in 2.x that prevents successful Azure OID authentication.

After further investigation it turned out that the 400 response only accorded sometime because of too many redirects. These in turn were caused by a too large cookie, which seems to be a known issue. Handle too large cookies gracefully · Issue #375 · opensearch-project/security · GitHub

@domruf How many roles did you assign to your test user?