Cookie Validation fails under SecurityDashboard plugin


Version used (Opensearch, Opensearch) - 1.3.2 with security enabled.

I have a custom plugin written for opensearch-dashboards for authentication. The flow of the plugin is →

  • The plugin makes a REST call to keycloak server (with required user credentials) to fetch a jwt access token to contact Opensearch.
  • The plugin then uses the fetched jwt token inside the authorization header “Bearer ” and sends it in the internal call to localhost:port/app/home.
  • We get successful response from the security plugin with header cookies
    Header cookies contains below attributes:

{ username: ‘’, credentials:
{ authHeaderValue: ‘Bearer <accessToken…>’ },
authType: ‘openid’,
expiryTime: 1659347896595

  • The plugin then redirects to /app/home location with the same cookie getting in above steps. But its redirecting to keycloak page for authentication - so that means its not considering the cookie valid and not considering that authentication is already done.

The same plugin and its flow worked absolutely fine with opendistro-1.9 with Kibana 7.8.0. We see the issue from opendistro-1.13 and it continues with Opensearch 1.x releases.

If we modify the security plugin code - precisely getCookie method in openid authentication - security-dashboards-plugin/openid_auth.ts to add an extra parameter expires_at in the cookie parameters - that works fine and does not again ask for authentication on accessing /app/home as the cookie is valid.

When we normally login to Opensearch-dashboards UI, it redirects to keycloak for authentication and then redirects to /app/home.
But with internal calls from the plugin, even though authentication was successful, cookie is created with lesser parameters - as a result, it fails to work as expected.

Can you help us understand the root cause of this issue and how can we solve this?

@shivani Have you tested it with the latest 2.3.0?

@pablo No, I haven’t tested this with 2.3.0?
Do you see this as an issue in 1.x and any particular change made in 2.3.0 might have solved this?

I am still moving from Opendistro 1.9 to Opendistro 1.13/Opensearch-1.x in my application and cannot directly move to Opensearch 2.x. I still need to be able to support this functionality with 1.x before upgrading to 2.x.
Any inputs on this will be much appreciated…

Hi @pablo
Any inputs on above query? Do you see a particular change made in 2.3.0 Opensearch that will help in resolving this?
And any pointers on making it work in the previous versions?

@shivani Could you share your config.yml file?

Apologies, i missed seeing this update earlier. Pls find the configs:

opensearch_dashboards.yml opensearch-dashboards
        elasticsearch.requestTimeout: 99999
        server.customResponseHeaders: { "X-Frame-Options": "DENY" }

        csp.strict: true
        #server.ssl.supportedProtocols: ["TLSv1.2"] true
        # Whitelist basic headers and multi tenancy header
        opensearch_security.multitenancy.enabled: false
        #opensearch.requestHeadersWhitelist: [ "Authorization", "securitytenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
        opensearch_security.auth.type: "openid"
        opensearch_security.openid.connect_url: ""
        opensearch_security.openid.base_redirect_url: ""
        opensearch_security.openid.client_id: "<clientid>"
        opensearch_security.openid.client_secret: "<secret>"
        opensearch_security.openid.header: "Authorization"
        opensearch_security.openid.root_ca: "/usr/share/opensearch-dashboards/keycloak-rootca.pem"

        opensearch_security.auth.unauthenticated_routes: ["/api/status", "/customauth/v1/sso"]
        customauth.enabled: "true"
        customauth.ssoproxy.url: https://customauth-customauth-ssoproxy.default.svc.cluster.local:8444
        customauth.sco.url: http://sco-svc.credential.svc.cluster.local

(customauth is the plugin we have written, its flow mentioned above in prev comments)

And opensearch security config.yml

       config_yml: |-
          type: "config"
          config_version: 2
              multitenancy_enabled: false
              server_username: kibanaserver 
              anonymous_auth_enabled: false
                enabled: false
                internalProxies: '.+' # since we require clientauth cert for http, we do not need to do IP filtering
                #remoteIpHeader:  'x-forwarded-for'
                #trustedProxies: '.+' # trust all external proxies, regex pattern
                http_enabled: true
                transport_enabled: true
                order: 0 
                  type: basic
                  challenge: False   # Set this to false when openid authentication is enabled
                  type: intern
                http_enabled:  True      # Set to true to enable keycloak authentication
                transport_enabled: false
                order: 1
                  type: openid
                  challenge: false
                    subject_key: preferred_username
                    roles_key: roles
                      verify_hostnames: false
                      trust_all: false
                      enable_ssl: true
                      pemtrustedcas_filepath: "/etc/opensearch/config/certs/keycloakRootCaPem"
                  type: noop