Keycloak integration

Continuing the discussion from Using KeyCloak RBAC/ABAC in OpenSearch:

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

Configuration:

Relevant Logs or Screenshots:

@Gurs Have you tried using official OpenSearch helm charts?

You disable security cookie but set server.ssl.enabled to true.

Could you share your config.yml?

@Gurs Secure cookie is one of the elements but not the root cause. Regarding the reported error, it looks like your JWT token doesn’t contain roles or roles are placed in a different path.

What is your Keycloak version?

@Gurs I’ve got 26.0.4 working with OpenID.

This is my JWT token.

{
  "exp": 1746194718,
  "iat": 1746194418,
  "jti": "325080c5-9a30-412a-9c28-5fe7e6b05aad",
  "iss": "https://dockerhub.pablo.local:8443/realms/opensearch",
  "aud": "account",
  "sub": "b2cfd869-aa2d-48d8-ac6a-ffde94a867c1",
  "typ": "Bearer",
  "azp": "docker2-openid",
  "sid": "4397fe98-59b5-446f-afa2-8b0ace8ed20d",
  "allowed-origins": [
    "https://docker2.pablo.local:5601"
  ],
  "realm_access": {
    "roles": [
      "kibanauser2",
      "default-roles-opensearch",
      "offline_access",
      "admin",
      "uma_authorization",
      "kibanauser"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": false,
  "roles": [
    "kibanauser2",
    "default-roles-opensearch",
    "offline_access",
    "admin",
    "uma_authorization",
    "kibanauser"
  ],
  "preferred_username": "admin"
}

and this is my working config.yml

  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            subject_key: "preferred_username"
            roles_key: "roles"
            openid_connect_url: "https://keycloak.pablo.local:8443/realms/opensearch/.well-known/openid-configuration"
            openid_connect_idp.pemtrustedcas_filepath: "/usr/share/opensearch/config/keycloak.crt"
            openid_connect_idp.enable_ssl: true
            skip_users:
            - "kibanaro"
            - "kibanaserver"
            - "logstash"
            - "adminp"
            - "fliebeat_internal"
            - "kibanauser"
        authentication_backend:
          type: "noop"

In my config I use roles as roles_key.

Can you share your JWT token?

Did you test with this value?

This is my OpenId client export.

{
  "clientId": "docker2-openid",
  "name": "",
  "description": "",
  "rootUrl": "https://docker2.pablo.local:5601",
  "adminUrl": "https://docker2.pablo.local:5601",
  "baseUrl": "",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [
    "https://docker2.pablo.local:5601/*"
  ],
  "webOrigins": [
    "https://docker2.pablo.local:5601"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": false,
  "publicClient": true,
  "frontchannelLogout": false,
  "protocol": "openid-connect",
  "attributes": {
    "post.logout.redirect.uris": "+",
    "oauth2.device.authorization.grant.enabled": "false",
    "backchannel.logout.revoke.offline.tokens": "false",
    "use.refresh.tokens": "true",
    "tls-client-certificate-bound-access-tokens": "false",
    "realm_client": "false",
    "oidc.ciba.grant.enabled": "false",
    "backchannel.logout.session.required": "true",
    "client_credentials.use_refresh_token": "false",
    "acr.loa.map": "{}",
    "require.pushed.authorization.requests": "false",
    "display.on.consent.screen": "false",
    "token.response.type.bearer.lower-case": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "web-origins",
    "roles",
    "profile",
    "basic",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "groups",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}