Hello Community,
I have been struggling to get JWT Authentication work by passing token as an Authorization header. I have followed the opensearch documentation and the same configuration is working in Opensearch version 2.11.1 but not in 2.15.
Every time I attempt to authenticate, I receive the following error message:
{“statusCode”:401,“error”:“Unauthorized”,“message”:“Authentication Exception”}
Is there any difference in configuration between the two versions? Any help would be greatly appreciated.
Here is my output for
curl --insecure -u admin:admin -XGET
"https://$A1HOSTNAME:9200/_plugins/_security/api/securityconfig?pretty"
{
"config" : {
"dynamic" : {
"filtered_alias_mode" : "warn",
"disable_rest_auth" : false,
"disable_intertransport_auth" : false,
"respect_request_indices_options" : false,
"kibana" : {
"multitenancy_enabled" : true,
"private_tenant_enabled" : true,
"default_tenant" : "",
"server_username" : "kibanaserver",
"index" : ".kibana",
"sign_in_options" : [
"BASIC"
]
},
"http" : {
"anonymous_auth_enabled" : false,
"xff" : {
"enabled" : false,
"internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
"remoteIpHeader" : "X-Forwarded-For"
}
},
"authc" : {
"jwt_auth_domain" : {
"http_enabled" : true,
"order" : 0,
"http_authenticator" : {
"challenge" : false,
"type" : "jwt",
"config" : {
"signing_key" : "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK...\n-----END PUBLIC KEY-----",
"jwt_header" : "Authorization",
"jwt_clock_skew_tolerance_seconds" : 20,
"roles_key" : "roles"
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via Json Web Token"
},
"ldap" : {
"http_enabled" : false,
"order" : 5,
"http_authenticator" : {
"challenge" : false,
"type" : "basic",
"config" : { }
},
"authentication_backend" : {
"type" : "ldap",
"config" : {
"enable_ssl" : false,
"enable_start_tls" : false,
"enable_ssl_client_auth" : false,
"verify_hostnames" : true,
"hosts" : [
"localhost:8389"
],
"userbase" : "ou=people,dc=example,dc=com",
"usersearch" : "(sAMAccountName={0})"
}
},
"description" : "Authenticate via LDAP or Active Directory"
},
"basic_internal_auth_domain" : {
"http_enabled" : true,
"order" : 4,
"http_authenticator" : {
"challenge" : true,
"type" : "basic",
"config" : { }
},
"authentication_backend" : {
"type" : "intern",
"config" : { }
},
"description" : "Authenticate via HTTP Basic against internal users database"
},
"proxy_auth_domain" : {
"http_enabled" : false,
"order" : 3,
"http_authenticator" : {
"challenge" : false,
"type" : "proxy",
"config" : {
"user_header" : "x-proxy-user",
"roles_header" : "x-proxy-roles"
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via proxy"
},
"clientcert_auth_domain" : {
"http_enabled" : false,
"order" : 2,
"http_authenticator" : {
"challenge" : false,
"type" : "clientcert",
"config" : {
"username_attribute" : "cn"
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via SSL client certificates"
},
"kerberos_auth_domain" : {
"http_enabled" : false,
"order" : 6,
"http_authenticator" : {
"challenge" : true,
"type" : "kerberos",
"config" : {
"krb_debug" : false,
"strip_realm_from_principal" : true
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
}
}
},
"authz" : {
"roles_from_another_ldap" : {
"http_enabled" : false,
"authorization_backend" : {
"type" : "ldap",
"config" : { }
},
"description" : "Authorize via another Active Directory"
},
"roles_from_myldap" : {
"http_enabled" : false,
"authorization_backend" : {
"type" : "ldap",
"config" : {
"enable_ssl" : false,
"enable_start_tls" : false,
"enable_ssl_client_auth" : false,
"verify_hostnames" : true,
"hosts" : [
"localhost:8389"
],
"rolebase" : "ou=groups,dc=example,dc=com",
"rolesearch" : "(member={0})",
"userrolename" : "disabled",
"rolename" : "cn",
"resolve_nested_roles" : true,
"userbase" : "ou=people,dc=example,dc=com",
"usersearch" : "(uid={0})"
}
},
"description" : "Authorize via LDAP or Active Directory"
}
},
"auth_failure_listeners" : { },
"do_not_fail_on_forbidden" : false,
"multi_rolespan_enabled" : true,
"hosts_resolver_mode" : "ip-only",
"do_not_fail_on_forbidden_empty" : false,
"on_behalf_of" : {
"enabled" : false
}
}
}
}