Integrating openid connect with opensearch throws an 401 unauthroised error , using azure ad as our idp

Security
,
21

@ogulman Have you tried preferred_username as a subject_key in the config.yml or commenting out roles_key.

Another trick I would use, assigning the admin or kibana_user role to any authenticated user.
This should allow you to access the OpenSearch Dashboards UI and see what other roles have been assigned to the user.

all_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to all_access"
  users:
  - '*'

or

kibana_user:
  reserved: false
  hidden: false
  backend_roles:
  - "kibanauser"
  hosts: []
  users: 
  - '*'
  and_backend_roles: []
  description: "Maps kibanauser to kibana_user"
22

@ogulman Did you create an App role and map it to the user as per my screenshots?

23

yes.

image
image2171×774 122 KB

24

@ogulman If you take a look at my previous and current screenshots you’ll notice that I’m mapping the Value of the App role as a backend role in the OpenSearch.

The Display name of the role is just a label for Azure.

image
image1344×1005 91.6 KB

25

I’ve create two roles in azure: [admin, test], both of them have same description, than I’ve mapped them in OpenSearch:

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "test"
  description: "Maps admin to all_access"
  users:
  - '*'

I’ve tryed to re-assign both of them to my account in azure and I have same errors all the time, also I try tricks that you mention above without luck.

image
image1344×875 56 KB

image
image1174×493 29.7 KB

image
image1444×546 40 KB

image
image1191×453 23.6 KB

26

@ogulman Thanks for sharing.

Have you checked the Manifest in that specific application in the App registrations?

image
image897×833 47.7 KB

27

The manifest that I have is pretty the same as yours.

{
	"id": "...",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": null,
	"appId": "...",
	"appRoles": [
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "kibanauser",
			"displayName": "kibanauser",
			"id": "...",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "kibanauser"
		},
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "admin",
			"displayName": "admin",
			"id": "...",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "admin"
		},
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "test",
			"displayName": "test",
			"id": "...",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "test"
		}
	],
28

The version that I use is 2.11.0. What is yours?

29

@ogulman I use the same version.

Can you try this suggestion?

30

In my case this works only for local user:
image

For SSO same 401 error.
Are you using same docker-compose file and demo certificate?

31

@ogulman Yes.

Could you run the following API and share result?

GET _plugins/_security/api/securityconfig
32

empty:

config     
------     
@{dynamic=}

list of indexes:

image
image2028×303 17.1 KB

33

@ogulman That’s strange. You should see at least the default config as you can authenticate.

Try backing up the security config.

or running the following command outside the cluster.

curl --insecure -u admin:admin -XGET https://<OpenSearch_node_IP_or_FQDN>:9200/_plugins/_security/api/securityconfig?pretty

I’ve repro 401 error with OpenSearch having default security config (only basicauth enabled) and OpenID configured in OpenSearch Dashboards.
In this scenario, you’ll be still redirected to Azure for authentication and redirected back to OpenSearch Dashboards but it will fail with 401 as OpenSearch will be missing the OpenID configuration.

Check the file permissions of ./opensearch/custom_config.yml and verify that /usr/share/opensearch/config/opensearch-security/config.yml contains your custom configuration inside the OpenSearch container.

34

Yes, you right. There are a config, for some reason I get an empty in case if I use PowerShell. Using curl gives an expected configuration file.

{
  "config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "private_tenant_enabled" : true,
        "default_tenant" : "",
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },
      "http" : {
        "anonymous_auth_enabled" : false,
        "xff" : {
          "enabled" : false,
          "internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
          "remoteIpHeader" : "x-forwarded-for"
        }
      },
      "authc" : {
        "openid_auth_domain" : {
          "http_enabled" : true,
          "transport_enabled" : true,
          "order" : 2,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "openid",
            "config" : {
              "openid_connect_idp" : {
                "enable_ssl" : true,
                "pemtrustedcas_filepath" : "/usr/share/opensearch/config/root-ca.pem",
                "verify_hostnames" : false,
                "subject_key" : "email",
                "roles_key" : "roles",
                "openid_connect_url" : "https://login.microsoftonline.com/<tenantid>/v2.0/.well-known/openid-configuration"
              }
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          }
        },
        "basic_internal_auth_domain" : {
          "http_enabled" : true,
          "transport_enabled" : true,
          "order" : 1,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "internal",
            "config" : { }
          },
          "description" : "Authenticate via HTTP Basic against internal users database"
        }
      },
      "authz" : { },
      "auth_failure_listeners" : { },
      "do_not_fail_on_forbidden" : false,
      "multi_rolespan_enabled" : true,
      "hosts_resolver_mode" : "ip-only",
      "do_not_fail_on_forbidden_empty" : false
    }
  }
}
35

Could you please have a look if I correctly did a configuration of openid:

image
image1531×596 65.5 KB

36

This is what you’ve initially shared.

However, your API output is different.

When I have challenge set to true, then I get 401 error when trying to authenticate with Azure.

Could you set challenge to false in both basicauth and openid?

37

I recently changed to get a dialog box for basic auth, that actually what I was having in opendistro with ldap in pair witch works well with backend roles.
I’ve changed both to "challenge" : false without luck.

38

I give up with open id configuration. It’s a black box.
I also cannot get more detailed log because of bug: