"error":"Unauthorized" opensearch 2.19 with OIDC using WSO2 Identity Server 7.0.0

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.19
Opensearch-dasboards 2.19
Ubuntu 22.04 LTS

Describe the issue:
I have integrated OpenSearch with an identity provider that uses OpenID Connect: WSO2 Identity Server 7.0.0.

The basic_internal_auth_domain is configured with order: 0, and the OIDC authentication domain is configured with order: 1.

When I attempt to log in via SSO, the user is successfully authenticated by WSO2 IS, but access to OpenSearch fails with a 401 Unauthorized error — the user is not authorized.

Configuration:

openserach.yml

network.host: 0.0.0.0
discovery.type: single-node
plugins.security.allow_unsafe_democertificates: true

plugins.security.disabled: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/admin.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/admin-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/admin.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/admin-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem

plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - "CN=admin,OU=UNIT,O=ORG,L=BARI,ST=ITALIA,C=IT"
plugins.security.nodes_dn:
  - "CN=opensearch01,OU=UNIT,O=ORG,L=BARI,ST=ITALIA,C=IT"
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
plugins.query.datasources.encryption.masterkey: "zzzzzzAAAAA"

config.yml

  authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
#oidc auth
      openid_auth_domain:
        description: "OIDC with WSO2 IS 7.0.0"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: true
          config:
            openid_connect_url: "IT'SNOTLINKhttps://wso2isdemo.plusinnovation.it/oauth2/oidcdiscovery/.well-known/openid-configuration"
            subject_key: preferred_username
            roles_key: roles
            client_id: "xxxxxxxxxxxx"
            client_secret: "yyyyyyyyyy"
            scope: "openid profile email groups"
        authentication_backend:
          type: noop

roles_mapping.yml

_meta:
  type: "rolesmapping"
  config_version: 2

all_access:
  reserved: false
  backend_roles:
    - "admin"
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  backend_roles:
  - "logstash"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  - "oidc_user"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"

opensearch_dashboard.yml

opensearch.hosts: [IT'SNOTLINKhttps://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false

opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.connect_url: "IT'SNOTLINKhttps://wso2isdemo.plusinnovation.it/oauth2/oidcdiscovery/.well-known/openid-configuration"
opensearch_security.openid.client_id: "xxxxxxxxxxxx"
opensearch_security.openid.client_secret: "yyyyyyyyyy"
opensearch_security.openid.scope: "openid profile email address phone groups"
opensearch_security.openid.base_redirect_url: "IT'SNOTLINKhttps://opensearchdemo.plusinnovation.it/_dashboards"

opensearch_security.openid.logout_url: "IT'SNOTLINKhttps://wso2isdemo.plusinnovation.it/oauth2/oidcdiscovery/oidc/logout"

Relevant Logs or Screenshots:

{"type":"response","@timestamp":"2025-05-12T19:48:24Z","tags":[],"pid":434804,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"x.x.x.x","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","accept":"image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"IT'SNOTLINKhttps://opensearchdemo.plusinnovation.it/_dashboards/auth/openid/login?code=1fbd71c5-3d21-3a15-9228-f6f8afdee522&session_state=37d1c9f319c8c0012cf3cad2d05efd569505f527a8fade9a98ad536e844e36c6.n3sBCzfCWWTfrSsbDjFj4Q&state=gK2qPT0vxJqum4y8vA5Ilc","sec-fetch-dest":"image","sec-fetch-mode":"no-cors","sec-fetch-site":"cross-site","priority":"u=6"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","referer":"IT'SNOTLINKhttps://opensearchdemo.plusinnovation.it/_dashboards/auth/openid/login?code=1fbd71c5-3d21-3a15-9228-f6f8afdee522&session_state=37d1c9f319c8c0012cf3cad2d05efd569505f527a8fade9a98ad536e844e36c6.n3sBCzfCWWTfrSsbDjFj4Q&state=gK2qPT0vxJqum4y8vA5Ilc"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /favicon.ico 401 1ms - 9.0B"}

@fdgitconsulting there are a couple of things to review here,

Firstly, I see you are using admin certificate for node to node communication, perhaps that’s just named admin and not an actual admin certificate, which cannot be used for this purpose.

Can you confirm the cluster forms as expected, with the correct number of nodes.

Secondly, config.yml file, in basic_internal_auth_domain please set challenge flag to false.

Lastly, are you able to capture the jwt token and examine what is being passed? Good example was provided here

Also, for better clarity, when posting, please put the configuration snippets in code blocks.

Hi Anthony, thanks for your answer.
I try to configure config.yml file with set challenge flag to false, but I haven’t resole the issue.
Opensearch isn’t clusterized, there is only one node.

This is my JWT token:

{
  "sub": "8f4eca26-7f69-4d0c-a626-4f63ff09f8f5",
  "aut": "APPLICATION_USER",
  "binding_type": "sso-session",
  "email_verified": true,
  "iss": "https://wso2isdemo.plusinnovation.it/oauth2/token",
  "groups": [
    "admin",
    "super.PlusInnovationUsers"
  ],
  "preferred_username": "Francesco",
  "given_name": "Francesco",
  "client_id": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "aud": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "nbf": 1748351670,
  "azp": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "org_id": "10084a8d-113f-4211-a0d5-efe36b082211",
  "scope": "address email groups openid phone profile",
  "exp": 1748355270,
  "org_name": "Super",
  "iat": 1748351670,
  "family_name": "De Girolamo",
  "binding_ref": "03c0065059993f5487dd0737d8bf5fdc",
  "jti": "71d5e280-fef1-4e5f-a45a-b85e372c5f77",
  "email": "francesco.degirolamo@xxxxx",
  "username": "fdg"
}

Have you got other suggestions ?

@fdgitconsulting Your token doesnt have “roles”, and in your config.yml you have “roles_key: roles”. Which is the reason it is not able to pick up the admin role.

now I have this but SSO authentication go to same error " statusCode 401"

{
  "isk": "2273b499d631e0b422b68bea1570f7c84f9b300eab9eb74acd0ee9048f08973f",
  "at_hash": "yj_Yln3q1RoSvD2D-XYZiA",
  "sub": "8f4eca26-7f69-4d0c-a626-4f63ff09f8f5",
  "email_verified": true,
  "amr": [
    "BasicAuthenticator"
  ],
  "roles": [
    "system",
    "everyone",
    "admin"
  ],
  "iss": "https://wso2isdemo.plusinnovation.it/oauth2/token",
  "groups": [
    "admin",
    "super.PlusInnovationUsers"
  ],
  "preferred_username": "Francesco",
  "given_name": "Francesco",
  "sid": "93587ee5-20ab-4690-8ade-c940ff29bf80",
  "aud": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "c_hash": "2HOSeGbzm_hOJI-_e1bCTQ",
  "nbf": 1748375241,
  "azp": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "org_id": "10084a8d-113f-4211-a0d5-efe36b082211",
  "exp": 1748378841,
  "org_name": "Super",
  "iat": 1748375241,
  "family_name": "De Girolamo",
  "jti": "0130e7d8-5264-4fa5-807a-9af6d3ad3b57",
  "email": "francesco.degirolamo@xxxxxx",
  "username": "fdg"
}

This is my roles_mapping.yml

# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml

_meta:
  type: "rolesmapping"
  config_version: 2

# Define your roles mapping here

## Demo roles mapping

all_access:
  reserved: false
  backend_roles:
    - "admin"
  users:
    - "admin"
    - "oidc user"
  description: "Maps admin to all_access"
own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  backend_roles:
  - "logstash"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  - "oidc_user"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"
  - "everyone"
  - "system"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"

@fdgitconsulting The token and role mappings look correct, do you see any other logs in dashboards?

Also I noticed your redirect is to https, but I dont see the certificates configured for dashboards, are you using https with dashboards?

Can you also confirm how you are retrieving this token?

Hi Anthony,
i’m using https with dashboards.
I have configured a Nginx Reverse Proxy with Let’s Encrypt certificate.

This is Dashboards log:

{"type":"response","@timestamp":"2025-05-28T05:12:03Z","tags":[],"pid":898661,"method":"get","statusCode":200,"req":{"url":"/ui/logos/opensearch_on_light.svg","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"93.49.93.30","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","accept":"image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"https://opensearchdemo.plusinnovation.it/app/login?","sec-fetch-dest":"image","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","priority":"u=4, i"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","referer":"https://opensearchdemo.plusinnovation.it/app/login?"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /ui/logos/opensearch_on_light.svg 200 2ms - 9.0B"}
{"type":"ops","@timestamp":"2025-05-28T05:12:03Z","tags":[],"pid":898661,"os":{"load":[4.73,4.29,4.15],"mem":{"total":8322969600,"free":1113739264},"uptime":2537990.12},"proc":{"uptime":35080.355224494,"mem":{"rss":202297344,"heapTotal":163024896,"heapUsed":141699456,"external":2080393,"arrayBuffers":687196},"delay":0.13918399810791016},"load":{"requests":{"5601":{"total":89,"disconnects":1,"statusCodes":{"200":80,"401":8}}},"responseTimes":{"5601":{"avg":5.584269662921348,"max":20}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 135.1MB uptime: 9:44:40 load: [4.73 4.29 4.15] delay: 0.139"}
{"type":"ops","@timestamp":"2025-05-28T05:12:08Z","tags":[],"pid":898661,"os":{"load":[4.67,4.29,4.15],"mem":{"total":8322969600,"free":1113563136},"uptime":2537995.12},"proc":{"uptime":35085.358269872,"mem":{"rss":202297344,"heapTotal":163024896,"heapUsed":141851248,"external":2081053,"arrayBuffers":687856},"delay":0.12521886825561523},"load":{"requests":{"5601":{"total":0,"disconnects":0,"statusCodes":{}}},"responseTimes":{"5601":{"avg":null,"max":0}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 135.3MB uptime: 9:44:45 load: [4.67 4.29 4.15] delay: 0.125"}
{"type":"response","@timestamp":"2025-05-28T05:12:09Z","tags":[],"pid":898661,"method":"get","statusCode":200,"req":{"url":"/auth/openid/captureUrlFragment","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"93.49.93.30","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-fetch-user":"?1","priority":"u=0, i"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0"},"res":{"statusCode":200,"responseTime":1,"contentLength":9},"message":"GET /auth/openid/captureUrlFragment 200 1ms - 9.0B"}
{"type":"response","@timestamp":"2025-05-28T05:12:10Z","tags":[],"pid":898661,"method":"get","statusCode":200,"req":{"url":"/auth/openid/captureUrlFragment.js","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"x.x.x.x","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","accept":"*/*","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"https://opensearchdemo.plusinnovation.it/auth/openid/captureUrlFragment","sec-fetch-dest":"script","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","priority":"u=2"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","referer":"https://opensearchdemo.plusinnovation.it/auth/openid/captureUrlFragment"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /auth/openid/captureUrlFragment.js 200 4ms - 9.0B"}
{"type":"response","@timestamp":"2025-05-28T05:12:10Z","tags":[],"pid":898661,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?redirectHash=false","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"x.x.x.x","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"https://opensearchdemo.plusinnovation.it/auth/openid/captureUrlFragment","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","priority":"u=0, i"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","referer":"https://opensearchdemo.plusinnovation.it/auth/openid/captureUrlFragment"},"res":{"statusCode":302,"responseTime":6,"contentLength":9},"message":"GET /auth/openid/login?redirectHash=false 302 6ms - 9.0B"}

Hi Anthony,
I have configured Nginx reverse proxy to manage Let’s Encrypt certificate .

This is dashboards log:

{"type":"response","@timestamp":"2025-05-28T14:28:25Z","tags":[],"pid":898661,"method":"get","statusCode":401,"req":{"url":"/_dashboards/auth/openid/login?code=1b990edb-10cc-3402-8272-2ba533d66c3c&session_state=4aa8743e  34437edf0eee95e2bbc387e07e990f2eb598dd5071869dff11ab98a9.09YglsfUgxydA4t1zWQ1DA&state=GPJ1aJgQHjL8wNYHJp9GZx","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"93.49.93.30","x-forwar  ded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","accept":"text/html,applicati  on/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"https://opensearchdemo.plusinnovation.it/","upgrade-insecure-r  equests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","priority":"u=0, i"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/2  0100101 Firefox/139.0","referer":"https://opensearchdemo.plusinnovation.it/"},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"GET /_dashboards/auth/openid/login?code=1b990edb-10cc-3402-8272-2ba533  d66c3c&session_state=4aa8743e34437edf0eee95e2bbc387e07e990f2eb598dd5071869dff11ab98a9.09YglsfUgxydA4t1zWQ1DA&state=GPJ1aJgQHjL8wNYHJp9GZx 401 3ms - 9.0B"}
{"type":"response","@timestamp":"2025-05-28T14:28:25Z","tags":[],"pid":898661,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-  for":"93.49.93.30","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0","  accept":"image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"https://opensearchdemo.plusi  nnovation.it/_dashboards/auth/openid/login?code=1b990edb-10cc-3402-8272-2ba533d66c3c&session_state=4aa8743e34437edf0eee95e2bbc387e07e990f2eb598dd5071869dff11ab98a9.09YglsfUgxydA4t1zWQ1DA&state=GPJ1aJgQHjL8wNYHJp9GZx","s  ec-fetch-dest":"image","sec-fetch-mode":"no-cors","sec-fetch-site":"cross-site","priority":"u=6"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0  ","referer":"https://opensearchdemo.plusinnovation.it/_dashboards/auth/openid/login?code=1b990edb-10cc-3402-8272-2ba533d66c3c&session_state=4aa8743e34437edf0eee95e2bbc387e07e990f2eb598dd5071869dff11ab98a9.09YglsfUgxydA4  t1zWQ1DA&state=GPJ1aJgQHjL8wNYHJp9GZx"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}
{"type":"ops","@timestamp":"2025-05-28T14:28:28Z","tags":[],"pid":898661,"os":{"load":[4.43,4.47,4.3],"mem":{"total":8322969600,"free":1096237056},"uptime":2571374.67},"proc":{"uptime":68464.900312901,"mem":{"rss":200249344,"heapTotal":163549184,"heapUsed":140504944,"external":1825842,"arrayBuffers":432517},"delay":1.6684179306030273},"load":{"requests":{"5601":{"total":5,"disconnects":0,"statusCodes":{"200":2,"302":1,"401":2}}},"responseTimes":{"5601":{"avg":2.4,"max":3}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 134.0MB uptime: 19:01:05 load: [4.43 4.47 4.30] delay: 1.668"}
{"type":"ops","@timestamp":"2025-05-28T14:28:33Z","tags":[],"pid":898661,"os":{"load":[4.47,4.48,4.3],"mem":{"total":8322969600,"free":1095475200},"uptime":2571379.67},"proc":{"uptime":68469.902219729,"mem":{"rss":199749632,"heapTotal":163549184,"heapUsed":139807264,"external":1825637,"arrayBuffers":432312},"delay":0.3217320442199707},"load":{"requests":{"5601":{"total":0,"disconnects":0,"statusCodes":{}}},"responseTimes":{"5601":{"avg":null,"max":0}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 133.3MB uptime: 19:01:10 load: [4.47 4.48 4.30] delay: 0.322"}

I’m retrieving token using code of URL generate from URL Unauthorized web page.
I’m inserting this code in a curl request like this which gives me ID-token.

curl -X POST https://wso2isdemo.plusinnovation.it/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -d "redirect_uri=https://opensearchdemo.plusinnovation.it/_dashboards/auth/openid/login" \
  -d "client_id=KhQdda6JPkfEP05sSZ0ZKEc4LuorUIa" \
  -d "client_secret=zaLQfd3xveswtYLOsL_W4dpRqMIlAzODt7Kc8RH_XpfMa"

To decode the ID-token I’m using this command

echo 'ID-TOKEN' | cut -d "." -f2 | base64 -d | jq

and in this example I’m obtaining

{
  "isk": "51523f1e28cef36d3586d91daa2cfa270a6831347c3370923ecb002763d6a349",
  "at_hash": "GyAAIKzzX_SiiIiTTTeIRA",
  "sub": "8f4eca26-7f69-4d0c-a626-4f63ff09f8f5",
  "email_verified": true,
  "amr": [
    "BasicAuthenticator"
  ],
  "roles": [
    "system",
    "everyone",
    "admin"
  ],
  "iss": "https://wso2isdemo.plusinnovation.it/oauth2/token",
  "groups": [
    "admin",
    "super.PlusInnovationUsers"
  ],
  "preferred_username": "Francesco",
  "given_name": "Francesco",
  "sid": "11f4a5ec-e68e-4dd6-8636-e0a1b4f3c9d7",
  "aud": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "c_hash": "wLxEUNH0ok1v203q4v3yiw",
  "nbf": 1748442336,
  "azp": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "org_id": "10084a8d-113f-4211-a0d5-efe36b082211",
  "exp": 1748445936,
  "org_name": "Super",
  "iat": 1748442336,
  "family_name": "De Girolamo",
  "jti": "b88b51bb-67c0-4fdb-848c-ec5e10c67948",
  "email": "francesco.degirolamo@xxxxx",
  "username": "fdg"
}

I tried to assign the users the role of kibanausers and I changed it like this roles_mapping.yml

_meta:
  type: "rolesmapping"
  config_version: 2

# Define your roles mapping here

## Demo roles mapping

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "Administrators"
  - "Viewer"
  - "Administrators"
  - "opensearch_admin"
  hosts: []
  users: []
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  backend_roles:
  - "logstash"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"

This is id-token

{
  "isk": "050aa813e38b362082497748a8eb6deaf9b2fd628699dbb694a8c1480fdcab1f",
  "at_hash": "sZ7MPDiY_NOGxIR7ByTwnQ",
  "sub": "8f4eca26-7f69-4d0c-a626-4f63ff09f8f5",
  "email_verified": true,
  "amr": [
    "BasicAuthenticator"
  ],
  "roles": [
    "kibanausers",
    "system",
    "everyone",
    "admin"
  ],
  "iss": "https://wso2isdemo.plusinnovation.it/oauth2/token",
  "groups": [
    "admin",
    "super.PlusInnovationUsers"
  ],
  "preferred_username": "Francesco",
  "given_name": "Francesco",
  "sid": "e4bew976d2-7fca-43b3-bc6c-90269dfea8c7",
  "aud": "KhQew6JPkfEP05sSZ0ZKEc4LuorUIa",
  "c_hash": "c5VwHwWZPgWSMk3JzTjSSgw",
  "nbf": 1749225280,
  "azp": "KhQ6JPkfEP05sSZ0ZKEc4LuorUIa",
  "org_id": "10084a8d-113f-4211-a0d5-efe36b082211",
  "exp": 1749228880,
  "org_name": "Super",
  "iat": 1749225280,
  "family_name": "De Girolamo",
  "jti": "657c2b6f-4761-4e58-8a02-45882c5bb167",
  "email": "francesco.degirolamo@xxxxxx",
  "username": "fdg"
}

@fdgitconsulting can you try to use the token in curl and connect to opensearch cluster directly bypassing the proxy, to see if the proxy is not whitelisting the Authorization header

TOKEN=$(echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/')

curl --insecure -H "Authorization: Bearer $TOKEN" https://localhost:9200

Hi Anthony,
I tried with this token

{
  "sub": "8f4eca26-7f69-4d0c-a626-4f63ff09f8f5",
  "aut": "APPLICATION_USER",
  "binding_type": "sso-session",
  "email_verified": true,
  "roles": [
    "kibanausers",
    "system",
    "everyone",
    "admin"
  ],
  "iss": "https://wso2isdemo.plusinnovation.it/oauth2/token",
  "groups": [
    "admin",
    "super.PlusInnovationUsers"
  ],
  "preferred_username": "Francesco",
  "given_name": "Francesco",
  "client_id": "KhQad6JPkfEP05sSZ0ZKEc4LuorUIa",
  "aud": "KhQ6JPkdadafEP05sSZ0ZKEc4LuorUIa",
  "nbf": 1749464540,
  "azp": "KhQ6JPkfEPs05sSZ0ZKEc4LuorUIa",
  "org_id": "10084a8d-113f-4211-a0d5-efe36b082211",
  "scope": "address email groups openid phone profile roles",
  "exp": 1749468140,
  "org_name": "Super",
  "iat": 1749464540,
  "family_name": "De Girolamo",
  "binding_ref": "8a43935a8cbb0248aced0a3c70519e6f",
  "jti": "fb3405aa-2bb2-467e-9fe0-0d738efaa9de",
  "email": "francesco.degirolamo@xxxxx.it",
  "username": "fdg"
}

the result is this

Authentication finally failedroot

If I try Opensearch basic authentication is all ok

curl -X GET https://localhost:9200 -u 'admin:@dsxxfatttee' --insecure
{
  "name" : "wsoi-is-demo1-fra1-01",
  "cluster_name" : "opensearch",
  "cluster_uuid" : "FwzwKtw-Tq2ReVtS8KZO_g",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.19.1",
    "build_type" : "deb",
    "build_hash" : "2e4741fb45d1b150aaeeadf66d41445b23ff5982",
    "build_date" : "2025-02-27T01:16:50.421408412Z",
    "build_snapshot" : false,
    "lucene_version" : "9.12.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}