Cookie Validation fails under SecurityDashboard plugin


Version used (Opensearch, Opensearch) - 1.3.2 with security enabled.

I have a custom plugin written for opensearch-dashboards for authentication. The flow of the plugin is →

  • The plugin makes a REST call to keycloak server (with required user credentials) to fetch a jwt access token to contact Opensearch.
  • The plugin then uses the fetched jwt token inside the authorization header “Bearer ” and sends it in the internal call to localhost:port/app/home.
  • We get successful response from the security plugin with header cookies
    Header cookies contains below attributes:

{ username: ‘’, credentials:
{ authHeaderValue: ‘Bearer <accessToken…>’ },
authType: ‘openid’,
expiryTime: 1659347896595

  • The plugin then redirects to /app/home location with the same cookie getting in above steps. But its redirecting to keycloak page for authentication - so that means its not considering the cookie valid and not considering that authentication is already done.

The same plugin and its flow worked absolutely fine with opendistro-1.9 with Kibana 7.8.0. We see the issue from opendistro-1.13 and it continues with Opensearch 1.x releases.

If we modify the security plugin code - precisely getCookie method in openid authentication - security-dashboards-plugin/openid_auth.ts to add an extra parameter expires_at in the cookie parameters - that works fine and does not again ask for authentication on accessing /app/home as the cookie is valid.

When we normally login to Opensearch-dashboards UI, it redirects to keycloak for authentication and then redirects to /app/home.
But with internal calls from the plugin, even though authentication was successful, cookie is created with lesser parameters - as a result, it fails to work as expected.

Can you help us understand the root cause of this issue and how can we solve this?

@shivani Have you tested it with the latest 2.3.0?

@pablo No, I haven’t tested this with 2.3.0?
Do you see this as an issue in 1.x and any particular change made in 2.3.0 might have solved this?

I am still moving from Opendistro 1.9 to Opendistro 1.13/Opensearch-1.x in my application and cannot directly move to Opensearch 2.x. I still need to be able to support this functionality with 1.x before upgrading to 2.x.
Any inputs on this will be much appreciated…