BadCredentialsException when using Openid with Azure

domruf · December 6, 2022, 8:41am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch-dashboards helm chart 2.6.0
opensearch helm chart 2.8.0

Describe the issue:
When configuring Azure as a IdP for OIDC I get a BadCredentialsException (see below)

and in the browser it says ‘{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}’

To Reproduce
Steps to reproduce the behavior:

configure openid in plugins/opensearch-security/securityconfig/config.yml
configure openid in config/opensearch_dashboard.yml as described at OpenID Connect - OpenSearch documentation
run plugins/opensearch-security/tools/securityadmin.sh
open dashboard site in browser

Configuration:

      opensearch_security:
        multitenancy:
          enabled: true
          tenants:
            preferred: ['Global', 'Private']
        readonly_mode.roles: ['kibana_read_only']
        auth:
          type: "openid"
        openid:
          connect_url: https://login.microsoftonline.com/<mypath>/v2.0/.well-known/openid-configuration
          client_id: <myid>
          client_secret: <mysecret>
          root_ca: /etc/ssl/certs/ca-certificates.crt
          base_redirect_url: https://myserver
          scope: openid profile email

      openid_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 2
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: email
            # roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/<mypath>/v2.0/.well-known/openid-configuration
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /etc/ssl/certs/ca-certificates.crt
        authentication_backend:
          type: noop

Relevant Logs or Screenshots:

...
[2022-11-23T15:31:32,591][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
--
Wed, Nov 23 2022 4:31:32 pm | [2022-11-23T15:31:32,593][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-cluster-master-1] Extracting JWT token from eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.<mytoken>.M5418NxLO5eA0cEYIoID-hzRJ6XcTZQJoMNEMzl_2sGOGYurN8FOIOgSedpm5cG6dQIsRoMMYS0GVvUvglxurU5J0TnJ7eCNN_1hfQ0TaHvGkDxX97HTm8bN1XGQrj8a0fjY8-f46H33HpT1OrRL-rM4vxYPIpg_8QfgllyB2Yh4-RDINSCgHiNgD7uH8Bk4pNzD4Y-mDb5xQdxFj0u2rEMqeKVCI_VaiIa-8i0C01xP_tpVRyX_fojfUcUE-7vUx-dy7mOYySSJM_UFBslvs2FCO7GEe6hwohVV18wmQXuh19cu0jpdTuW4XrGCiiyB4mo7qMlP674fdR3vYuACqA failed
Wed, Nov 23 2022 4:31:32 pm | com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Algorithm of JWT does not match algorithm of JWK (HS512 != RS256)
Wed, Nov 23 2022 4:31:32 pm | at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.validateSignatureAlgorithm(JwtVerifier.java:90) ~[opensearch-security-2.4.0.0.jar:2.4.0.0]
...

pablo · December 7, 2022, 3:11pm

@domruf You don’t need pemtrustedcas_filepath in the config.yml. This is useful when you use IDP with a self-signed certificate. Azure is using certificates signed by the external CA.

You can drop this section when you use Azure as IDP.

            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /etc/ssl/certs/ca-certificates.crt

Also, you don’t need root_ca: /etc/ssl/certs/ca-certificates.crt in opensearch_dashboards.yml.

domruf · December 8, 2022, 7:56am

@pablo Well yes, in my current environment i could. But I also have situations where a proxy with deep packet inspection is required. I believe in those cases I’d need pemtrustedcas_filepath to trust the proxy’s certificate.
Anyways it does not hurt either and AFAIS has nothing to do with the ‘JWK (HS512 != RS256)’ problem.

domruf · December 9, 2022, 8:14am

@pablo You were right after all. Since I mounted my own /etc/ssl/certs/ca-certificates.crt, this interfered with /etc/pki/tls/certs/ca-bundle.crt. And since basically all custom files must be placed in the config folder my ca-certificates.crt was not properly read as well.

I still have some problems with OIDC (this time 400 responses) but that is a new problem.

pablo · December 9, 2022, 4:57pm

@domruf I’ve tried to get Opensearch 2.x working with Azure OpenID but no luck. I get 401.
However, I used exactly the same configuration with 1.2 and 1.3 and it worked. It seems that either I’m missing some configuration or there is a bug in 2.x that prevents successful Azure OID authentication.

domruf · December 21, 2022, 12:12pm

After further investigation it turned out that the 400 response only accorded sometime because of too many redirects. These in turn were caused by a too large cookie, which seems to be a known issue. Handle too large cookies gracefully · Issue #375 · opensearch-project/security · GitHub

pablo · January 9, 2023, 4:42pm

@domruf How many roles did you assign to your test user?

Topic		Replies	Views
Getting Unauthorized access error 401 using openid with idp as azure Security troubleshoot , configure , security-issue	6	495	June 21, 2023
Opensearch dashboards OIDC error Security security-issue	14	661	March 23, 2024
Integrating openid connect with opensearch throws an 401 unauthroised error , using azure ad as our idp Security troubleshoot , configure	37	1503	November 27, 2023
Setting up OpenID Connect integration with OpenSearch is resulting in a 401 Unauthorized error when using Azure AD as the identity provider Security troubleshoot , configure	7	35	November 14, 2024
Opensearch Dashboard OpenID not working Security troubleshoot	9	1896	May 27, 2022

BadCredentialsException when using Openid with Azure

Related topics