Keycloack OpenID integration 401 error

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.16.0

Describe the issue:
When authenticating via Keycloak, I get the response {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

Configuration:
config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    #kibana:
    # Kibana multitenancy
    #multitenancy_enabled: true
    #private_tenant_enabled: true
    #default_tenant: ""
    #server_username: kibanaserver
    #index: '.kibana'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
    authc:
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            krb_debug: false
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /etc/opensearch/ca-test.pem
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://secret/realms/test/.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch-dashboards.yml

opensearch.requestHeadersWhitelist: [authorization,securitytenant]
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/OSDS.pem
server.ssl.key: /etc/opensearch-dashboards/OSDS-key.pem
opensearch.ssl.certificateAuthorities: [ "/etc/opensearch-dashboards/root-ca.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.auth.type: ["basicauth", "openid"]
opensearch.ssl.verificationMode: "full"
opensearch_security.auth.multiple_auth_enabled: "true"
opensearch_security.cookie.ttl: 900600
opensearch_security.session.ttl: 900600
opensearch_security.session.keepalive: "true"
opensearch_security.openid.connect_url: "https://secret/realms/secret/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearch-cli-production"
opensearch_security.openid.base_redirect_url: "https://secret:5601/"
opensearch_security.openid.client_secret: "secret"
opensearch_security.openid.scope: "profile email"
opensearch_security.openid.header: "Authorization"
opensearch_security.openid.verify_hostnames: "false"
opensearch_security.openid.refresh_tokens: "true"
opensearch_security.openid.root_ca: "/etc/opensearch-dashboards/ca-root.pem"
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.cookie.secure: "true"

Relevant Logs or Screenshots:

image
image1559×814 57 KB

2

@kartavenkov707 did you have a look at this post, can you extract the openID token and validate that it contains the necessary groups?

3

Yes, I’ve seen this post.
The only difference that I don’t see is “profile” in “scope”.

This is my token

{
  "exp": 1747661995,
  "iat": 1747661695,
  "jti": "jdbx11d5-ce49-438d-8d0d-f9hf964ca3c3",
  "iss": "https://secret/realms/secret",
  "aud": "account",
  "sub": "8n411c7e-d9a5-4c6e-b7c7-5b8beb87e354",
  "typ": "Bearer",
  "azp": "opensearch-cli-production",
  "session_state": "85451b2e-a134-47b6-a8ba-c9dcb2c61caa",
  "acr": "1",
  "allowed-origins": [
    ""
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "opensearch-admin",
      "default-roles-secret",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email",
  "sid": "85451b2e-a134-47b6-a8ba-c9dcb2c61caa",
  "email_verified": true,
  "roles": [
    "offline_access",
    "opensearch-admin",
    "default-roles-secret",
    "uma_authorization"
  ],
  "name": "kartavenkov",
  "preferred_username": "kartavenkov",
  "given_name": "kartavenkov",
  "family_name": "",
  "email": "kartavenkov",
  "header": {
    "alg": "RS256",
    "typ": "JWT",
    "kid": "k7huzHm70jAgFDbgPQWT3gvZZoHWTCFfQ46hMohL72Q"
  }
}
4

@kartavenkov707 A few things come to mind, The challenge flag in your basicAuth in config.yml is set to true, change this to false.

Can you provide your role_mapping.yml file to ensure opensearch-admin is mapped to the correct role?

1 Like
5

I set challenge flag in config.yml to false. It didn’t help.
I mapped opensearch-admin in Dashboards.

image
image1895×461 36 KB

6

Can you confirm you uploaded the config.yml to security index using securityadmin.sh script?

What permissions is this backend role mapped to?

Also, can you provide any logs in opensearch or dashboards when trying to login? apart from {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

7

This is screenshot from GET _plugins/_security/api/securityconfig

image
image779×246 16.9 KB

This backend role have cluster_all and indices_all permissions.

This is log from /var/log/opensearch/opensearch-cluster.log:
No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

This is log from Dashboards:
["error","plugins","securityDashboards"],"pid":3439,"message":"OpenId authentication failed: Error: Authentication Exception"}

8

Could you add “openid” to the above?

9

I added “OpenID” and then restarted the dashboard service. It didn’t help.
I just noticed an entry in the /var/log/opensearch/opensearch-cluster.log:
Authentication finally failed for null from XX.XX.XX.XX:404121

10

@kartavenkov707 can you confirm that the value “openid” was added to the scope and not “OpenID” as per your message, as this is case sensitive.

If this still doesnt work, are you able to get this working without using certificates in test environment, just using plain http, to get to the root of the issue easier, before adding the certificates back.

11

Hi!
I resolved the issue.
I added the certificate from the keycloak service to the config.yml configuration, not the root one.