Integrates with Keycloak

maixuandai · May 7, 2024, 6:49am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
I can integrated with master realm of Keycloak successfully. But When I create another realm then point OpenDashboard to that realm. I cannot the message {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”} when I logined to opensearch dashboards through keycloak

Configuration:
server.name: osd
server.host: ‘0.0.0.0’

opensearch.username: kibanaserver
opensearch.password: kibanaserver

opensearch.hosts:

Encrypt traffic between the browser and Opensearch dashboards

server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/certificates/os-dashboards/osd.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/certificates/os-dashboards/osd.key

Encrypt traffic between OpenSearch dashboards and Opensearch

opensearch.ssl.certificateAuthorities:
[/usr/share/opensearch-dashboards/config/certificates/ca/root-ca.pem]
opensearch.ssl.verificationMode: none

opensearch.requestHeadersAllowlist: [‘securitytenant’, ‘Authorization’,‘security_tenant’]
elasticsearch.username: “admin”
elasticsearch.password: “admin”

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: [‘Private’, ‘Global’]
opensearch_security.multitenancy.enable_filter: false

opensearch_security.auth.type: openid
opensearch_security.allow_client_certificates: true
opensearch_security.openid.connect_url: https://keycloak:8443/realms/SBV/.well-known/openid-configuration
opensearch_security.openid.base_redirect_url: https://opensearch-dashboards:5601
opensearch_security.openid.client_id: opensearch-dashboards
opensearch_security.openid.client_secret: kPOQIReVxl9KKMr1Xbo3nPQIl9buxbr6
opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/certificates/ca/root-ca.pem
opensearch_security.openid.verify_hostnames: ‘false’

Relevant Logs or Screenshots:

Mantas · May 9, 2024, 9:23am

Hi @maixuandai,

Have you tested the integration without TLS/SSL?

Do you have a sample of JWT sent from Keycloak to OpenSearch?

In your Keycloak “another realm” could you please confirm the highlighted below?

Best,
mj

Topic		Replies	Views
OpenID 401 Unauthorized with Keycloak Security troubleshoot , configure	14	3136	August 3, 2022
OpenID(keycloak) 401 Unauthorized Security	10	2227	January 10, 2023
OpenSearch Dashboard with Keycloak IdP is working, but with OpenSearch not Security troubleshoot , configure	2	497	February 23, 2023
OpenSearch Dashboards 401 Unauthorized using OIDC with Keycloak Security	12	6472	February 15, 2023
Authorization issue using OpenID (Keycloak) Security	17	1323	November 13, 2023

Integrates with Keycloak

Encrypt traffic between the browser and Opensearch dashboards

Encrypt traffic between OpenSearch dashboards and Opensearch

Related topics