Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue: I am able to get curl output with opensearch internal users
curl -u monitorid:‘*****’ --insecure https://opensearch-sandeep.com/\_cluster/health?pretty
But with OIDC users with same backend role getting 401 error
still dashboard accessible with OIDC user
How to fix
Configuration:
Relevant Logs or Screenshots:
@sandeepm257 This is expected. With OpenID, you must first obtain the JWT token from the IDP using its token endpoint. You can find that endpoint URL in the OIDC’s manifest.
Manifest URL example for Keycloak OIDC
https://<Your_IDP>/realms/master/.well-known/openid-configuration
Next, extract the JWT token from the response and use it as Bearer with any request against the OpenSearch cluster.
This is my working workflow for Keycloak
RESULT=curl -k --noproxy '*' -d 'client_id=kibana' -d 'username=<uid>' -d 'password=<password>' -d 'grant_type=password' -d 'client_secret=<secret>' -d 'scope=openid' 'https://<Keycloak address>/auth/realms/<realm>/protocol/openid-connect/token'
TOKEN=echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/'
curl --insecure -H "Authorization: Bearer $TOKEN" https://localhost:9200