Continuing the discussion from Using KeyCloak RBAC/ABAC in OpenSearch:
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue:
Configuration:
Relevant Logs or Screenshots:
Continuing the discussion from Using KeyCloak RBAC/ABAC in OpenSearch:
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue:
Configuration:
Relevant Logs or Screenshots:
@Gurs Have you tried using official OpenSearch helm charts?
You disable security cookie but set server.ssl.enabled
to true.
Could you share your config.yml?
@Gurs Secure cookie is one of the elements but not the root cause. Regarding the reported error, it looks like your JWT token doesn’t contain roles or roles are placed in a different path.
What is your Keycloak version?
@Gurs I’ve got 26.0.4 working with OpenID.
This is my JWT token.
{
"exp": 1746194718,
"iat": 1746194418,
"jti": "325080c5-9a30-412a-9c28-5fe7e6b05aad",
"iss": "https://dockerhub.pablo.local:8443/realms/opensearch",
"aud": "account",
"sub": "b2cfd869-aa2d-48d8-ac6a-ffde94a867c1",
"typ": "Bearer",
"azp": "docker2-openid",
"sid": "4397fe98-59b5-446f-afa2-8b0ace8ed20d",
"allowed-origins": [
"https://docker2.pablo.local:5601"
],
"realm_access": {
"roles": [
"kibanauser2",
"default-roles-opensearch",
"offline_access",
"admin",
"uma_authorization",
"kibanauser"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"roles": [
"kibanauser2",
"default-roles-opensearch",
"offline_access",
"admin",
"uma_authorization",
"kibanauser"
],
"preferred_username": "admin"
}
and this is my working config.yml
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "intern"
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: "openid"
challenge: false
config:
subject_key: "preferred_username"
roles_key: "roles"
openid_connect_url: "https://keycloak.pablo.local:8443/realms/opensearch/.well-known/openid-configuration"
openid_connect_idp.pemtrustedcas_filepath: "/usr/share/opensearch/config/keycloak.crt"
openid_connect_idp.enable_ssl: true
skip_users:
- "kibanaro"
- "kibanaserver"
- "logstash"
- "adminp"
- "fliebeat_internal"
- "kibanauser"
authentication_backend:
type: "noop"
In my config I use roles as roles_key.
Can you share your JWT token?
Did you test with this value?
This is my OpenId client export.
{
"clientId": "docker2-openid",
"name": "",
"description": "",
"rootUrl": "https://docker2.pablo.local:5601",
"adminUrl": "https://docker2.pablo.local:5601",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://docker2.pablo.local:5601/*"
],
"webOrigins": [
"https://docker2.pablo.local:5601"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"post.logout.redirect.uris": "+",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true",
"tls-client-certificate-bound-access-tokens": "false",
"realm_client": "false",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}",
"require.pushed.authorization.requests": "false",
"display.on.consent.screen": "false",
"token.response.type.bearer.lower-case": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"roles",
"profile",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"groups",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}