Infinite loop with Authentik OpenID Connect

That would be in the config section for the Dashboard: OpenID Connect - OpenSearch Documentation

Those options don’t seem to be available in that config file: OpenID Connect - OpenSearch Documentation

So I found a few mistakes I had made. I fixed those and ran that command a bunch of times, now I’m getting a 401, which is a step at least.

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

Updates:

API

Wrong directory

/usr/share/opensearch/config/security/internal_users.yml => /usr/share/opensearch/config/opensearch-security/internal_users.yml

Wrong directory and missing keys, the YML here threw my off because it doesn’t contain the config.dynamic.authc keys.

/usr/share/opensearch/config/security/config.yml => /usr/share/opensearch/config/opensearch-security/config.yml

_meta:
  type: "config"
  config_version: 2

# these keys are needed
config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              # this is the last thing I tried, but it didn't work
              pemtrustedcas_filepath: /usr/share/opensearch/config/certificates/authentik.pem
            roles_key: roles
            openid_connect_url: https://auth.my-domain.com/application/o/opensearch/.well-known/openid-configuration
        authentication_backend:
          type: noop

Docker Compose

Fixed wrong paths and added every single certificate I could think of

services:
  opensearch-api:
    image: opensearchproject/opensearch:2.12.0
    environment:
      - "bootstrap.memory_lock=true"
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "TZ=Europe/Amsterdam"
    volumes:
      - data:/usr/share/opensearch/data
      - ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
      ## certs
      - ./certs/authentik.pem:/usr/share/opensearch/config/authentik.pem
      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
      - ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
      - ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
      - ./certs/node.pem:/usr/share/opensearch/config/node.pem
      - ./certs/node-key.pem:/usr/share/opensearch/config/node-key.pem
      ## security
      - ./opensearch_security_config.yml:/usr/share/opensearch/config/opensearch-security/config.yml
      - ./opensearch_security_internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml

  opensearch-dashboard:
    image: opensearchproject/opensearch-dashboards:2.12.0
    environment:
      - "TZ=Europe/Amsterdam"
    volumes:
      - ./opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
      - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/root-ca.pem

/usr/share/opensearch/config/opensearch.yml

network:
  host: 0.0.0.0

discovery:
  type: single-node

plugins:
  security:
    authcz:
      # needed to be a list
      admin_dn:
        - "CN=admin,OU=SSL,O=Test,L=Test,C=NL"
    nodes_dn:
      - "CN=node,OU=SSL,O=Test,L=Test,C=NL"
    enable_snapshot_restore_privilege: true
    check_snapshot_restore_write_privileges: true
    audit:
      type: internal_opensearch
    restapi:
      # added probably not needed
      roles_enabled:
        ["all_access", "admin", "kibanauser", "security_rest_api_access"]
    ssl:
      transport:
        enabled: true
        pemcert_filepath: admin.pem
        pemkey_filepath: admin-key.pem
        pemtrustedcas_filepath: root-ca.pem
        enforce_hostname_verification: false
        resolve_hostname: false
      # enabled this and generated certs for it with the guide on the website
      http:
        enabled: true
        pemcert_filepath: node.pem
        pemkey_filepath: node-key.pem
        pemtrustedcas_filepath: root-ca.pem

opendistro_security:
  audit:
    config:
      disabled_rest_categories: NONE
      disabled_transport_categories: NONE

/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml

server:
  host: "0.0.0.0"
  name: "opensearch.my-domain.com"

opensearch_security:
  auth:
    type: "openid"
  openid:
    connect_url: "https://auth.my-domain.com/application/o/opensearch/.well-known/openid-configuration"
    client_id: "SNIP"
    client_secret: "SNAP"
    # added roles here and added a property mapping in authentik, added admin role to my user
    scope: "openid profile email roles"
    logout_url: "https://auth.my-domain.com/application/o/opensearch/end-session/"
    base_redirect_url: "https://opensearch.my-domain.com"
    # verify_hostnames: false

opensearch:
  hosts:
    - "https://opensearch-api:9200"
  ssl:
    # added ssl root ca for opensearch https connection
    verificationMode: certificate
    certificateAuthorities:
      - "/usr/share/opensearch-dashboards/config/root-ca.pem"
  username: "kibanaserver"
  password: "SNOOP"

With all this I’m stuck with a 401 error message when trying to login with Authentik OIDC. Basic auth works to get to the OpenSearch api with the kibanaserver username and password.

Last thing I did: I thought it had to do with the certificate of my IDP. It was using a letsencrypt signed certificate. I changed that to a self signed certificate, and added the cert to the opensearch container and in /usr/share/opensearch/config/opensearch-security/config.yml. Then ran:

bash plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert config/root-ca.pem -cert config/admin.pem -key config/admin-key.pem -h localhost

But still getting 401 unfortunately. Feel like I’m close but missing something