Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.12 docker
debian 12
chrome/firefox
Describe the issue:
OUTDATED See next reply instead: Infinite loop with Authentik OpenID Connect - #3 by mmorg
I setup Opensearch + OpenSearch dashboard. Configured with Authentik OIDC but upon login I get stuck in an infinite loop => Authentik sends me back to opendashboard, opendashboard sends me back to authentik etc.
I see in the logs of the dashboard. I don’t see anything happening in opensearch.
OpenId authentication failed: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET] | type=log @timestamp=2024-03-27T22:23:10Z tags=["error","plugins","securityDashboards"] pid=1
After which it starts over and keeps ending up here.
I can see the tokens being created in Authentik.
I can connect to the api through the dashboard container.
I’ve been at it for quite some hours, could use another pair of eyes
Configuration:
docker-compose.yml
services:
opensearch-api:
image: opensearchproject/opensearch:2.12.0
environment:
- "discovery.type=single-node"
- "bootstrap.memory_lock=true"
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- "DISABLE_SECURITY_PLUGIN=true"
- "TZ=Europe/Amsterdam"
volumes:
- data:/usr/share/opensearch/data
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
- ./certs/opensearch.pem:/usr/share/opensearch/config/opensearch.pem
- ./certs/opensearch-key.pem:/usr/share/opensearch/config/opensearch-key.pem
- ./opensearch_security_internal_users.yml:/usr/share/opensearch/config/security/internal_users.yml
- ./opensearch_security_config.yml:/usr/share/opensearch/config/security/config.yml
- ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
opensearch-dashboard:
image: opensearchproject/opensearch-dashboards:2.12.0
environment:
- "OPENSEARCH_HOSTS=http://opensearch-api:9200"
- "TZ=Europe/Amsterdam"
labels:
- "traefik.enable=true"
- "traefik.http.routers.opensearch-dashboard.rule=Host(`opensearch.my-domain.com`)"
- "traefik.http.routers.opensearch-dashboard.entrypoints=websecure"
- "traefik.http.routers.opensearch-dashboard.tls=true"
- "traefik.http.routers.opensearch-dashboard.tls.certresolver=dns"
- "traefik.http.routers.opensearch-dashboard.service=opensearch-dashboard"
- "traefik.http.services.opensearch-dashboard.loadbalancer.server.port=5601"
volumes:
- ./opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
OpenSearch API Container
/usr/share/opensearch/config/security/internal_users.yml
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2SNIP"
reserved: true
backend_roles:
- "admin"
description: "admin user"
kibanaserver:
hash: "$2SNIP"
reserved: true
description: "OpenSearch Dashboards server"
/usr/share/opensearch/config/security/config.yml
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
openid_connect_idp:
enable_ssl: true
roles_key: groups
openid_connect_url: https://auth.my-domain.com/application/o/opensearch/.well-known/openid-configuration
authentication_backend:
type: noop
/usr/share/opensearch/config/opensearch.yml
cluster:
name: opensearch-my-domain
network:
host: 0.0.0.0
discovery:
type: single-node
plugins:
security:
authcz.admin_dn: CN=admin,OU=SSL,O=Test,L=Test,C=NL
ssl:
transport:
pemcert_filepath: opensearch.pem
pemkey_filepath: opensearch-key.pem
pemtrustedcas_filepath: root-ca.pem
enforce_hostname_verification: false
resolve_hostname: false
http:
enabled: false
OpenSearch Dashboard Container
/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
server:
host: "0.0.0.0"
name: "opensearch.my-domain.com"
opensearch_security:
auth:
type: "openid"
openid:
connect_url: "https://auth.my-domain.com/application/o/opensearch/.well-known/openid-configuration"
client_id: "SNIP"
client_secret: "SNIP"
scope: "openid profile email"
logout_url: "https://auth.my-domain.com/application/o/opensearch/end-session/"
base_redirect_url: "https://opensearch.my-domain.com"
verify_hostnames: false
opensearch:
username: "kibanaserver"
password: "SNIP"
Relevant Logs or Screenshots:
Full log:
GET /auth/openid/login?code=SNIP&state=SNIP 302 527ms - 9.0B | type=response @timestamp=2024-03-27T22:23:09Z tags=[] pid=1 method=get statusCode=302 req={"url":"/auth/openid/login?code=SNIP&state=SNIP","method":"get","headers":{"host":"opensearch.my-domain.com","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","sec-ch-ua":"\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Linux\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","upgrade-insecure-requests":"1","x-forwarded-for":"192.168.1.55","x-forwarded-host":"opensearch.my-domain.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"e3557ae279a4","x-real-ip":"192.168.1.55"},"remoteAddress":"172.18.0.2","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"} res={"statusCode":302,"responseTime":527,"contentLength":9}
GET /auth/openid/login 302 1ms - 9.0B | type=response @timestamp=2024-03-27T22:23:10Z tags=[] pid=1 method=get statusCode=302 req={"url":"/auth/openid/login","method":"get","headers":{"host":"opensearch.my-domain.com","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","sec-ch-ua":"\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Linux\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","upgrade-insecure-requests":"1","x-forwarded-for":"192.168.1.55","x-forwarded-host":"opensearch.my-domain.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"e3557ae279a4","x-real-ip":"192.168.1.55"},"remoteAddress":"172.18.0.2","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"} res={"statusCode":302,"responseTime":1,"contentLength":9}
OpenId authentication failed: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET] | type=log @timestamp=2024-03-27T22:23:10Z tags=["error","plugins","securityDashboards"] pid=1