Issue with OpenID Connect (OIDC) and TLS

Hi there!

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Our version of Opensearch and Opensearch Dashboard : 2.4.0, on Docker
It’s a single-node cluster with no SSL / TLS enabled

Describe the issue:
We’re trying to set up OIDC (OpenID Connect) on Opensearch but we still have the following error :

od_error857×379 106 KB

Inside the two docker containers (Opensearch and Opensearch Dashboard), we can access the Idp using curl -k

The error comes from the certificate.

Configuration:
The Opensearch configuration (config.yml) :

o_config865×316 69.5 KB

The Opensearch Dashboard configuration (opensearch_dashboard.yml) :

od_config851×315 137 KB

If you have any idea how to not verify SSL for Idp…

Best regards!

@vincent2mots In your config.yml file you’ve set openid_auth_domain.http_authenticator.config.enable_ssl to false. However, openid_auth_domain.http_authenticator.config.openid_connect_url contains HTTPS.
You must set enable_ssl to true to secure connection to the OpenID IdP.

If your IdP uses self-signed certificates, you must provide the RootCA or IdP certificate in the config.yml and opensearch_dashboards.yml.

config.yml

          config:
            verify_hostnames: false
            openid_connect_url: "https://<IdP_FQDN_or_IP>/auth/realms/master/.well-known/openid-configuration"
            openid_connect_idp:
                  enable_ssl: true
                  pemtrustedcas_filepath: "/usr/share/opensearch/config/<IdP_RootCA_or_cert>"

opensearch_dashboards.yml

opensearch_security.openid.connect_url: "https://<IdP_FQDN_or_IP>/auth/realms/master/.well-known/openid-configuration"
opensearch_security.openid.client_id: "<client_id>"
opensearch_security.openid.client_secret: "<client_secret>"
opensearch_security.openid.root_ca: "/usr/share/opensearch-dashboards/config/<IdP_RootCA_or_cert>"
opensearch_security.openid.base_redirect_url: "https://<OpenSearch_Dashboards_FQDN_or_IP>:5601"

Thanks for you reply!

So, if my Idp is HTTPS, I cannot have a setting like “no_ssl_verification_mode” or something like that? It’s mandatory to use certificates?

@vincent2mots Correct, non of the authentication domains in config.yml has such an option.
You always must provide TLS certificate when your IDP is using a self-signed certificate and communication is secured.

Thanks @pablo for your answer

I got the certificate (using a web browser) and tried to add it into the config files but I sill have the same issue.

The certificate can be in PEM or CER format I suppose?

Could it be related to the fact the certificate seems to be unsecured? In my web browser, while accessing to the URL, I have a message (next to the URL) saying the connection is insecured.

Thanks again

@vincent2mots What is your IdP?
I forgot to add that the CN or SAN of the IdP certificate must have FQDN or IP used in openid_connect_url.

If the IdP certificate is self-signed then you can use it as pemtrustedcas_filepath and root_ca.

You can also get the certificate by running the below command.

openssl s_client -connect <IdP_FQDN_or_IP>:<port_number>

Hello there.
While I still not able to resolve my own case, I successfully fixed your error by adding ca cert to java’s cacert keystore, with keytool.
Not sure it’s a good way though.