Keycloak integration

Gurs · April 30, 2025, 10:49am

Continuing the discussion from Using KeyCloak RBAC/ABAC in OpenSearch:

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

Configuration:

Relevant Logs or Screenshots:

pablo · April 30, 2025, 3:42pm

@Gurs Have you tried using official OpenSearch helm charts?

pablo · April 30, 2025, 3:47pm

You disable security cookie but set server.ssl.enabled to true.

Could you share your config.yml?

pablo · April 30, 2025, 4:19pm

@Gurs Secure cookie is one of the elements but not the root cause. Regarding the reported error, it looks like your JWT token doesn’t contain roles or roles are placed in a different path.

What is your Keycloak version?

pablo · May 2, 2025, 2:09pm

@Gurs I’ve got 26.0.4 working with OpenID.

This is my JWT token.

{
  "exp": 1746194718,
  "iat": 1746194418,
  "jti": "325080c5-9a30-412a-9c28-5fe7e6b05aad",
  "iss": "https://dockerhub.pablo.local:8443/realms/opensearch",
  "aud": "account",
  "sub": "b2cfd869-aa2d-48d8-ac6a-ffde94a867c1",
  "typ": "Bearer",
  "azp": "docker2-openid",
  "sid": "4397fe98-59b5-446f-afa2-8b0ace8ed20d",
  "allowed-origins": [
    "https://docker2.pablo.local:5601"
  ],
  "realm_access": {
    "roles": [
      "kibanauser2",
      "default-roles-opensearch",
      "offline_access",
      "admin",
      "uma_authorization",
      "kibanauser"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": false,
  "roles": [
    "kibanauser2",
    "default-roles-opensearch",
    "offline_access",
    "admin",
    "uma_authorization",
    "kibanauser"
  ],
  "preferred_username": "admin"
}

and this is my working config.yml

  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            subject_key: "preferred_username"
            roles_key: "roles"
            openid_connect_url: "https://keycloak.pablo.local:8443/realms/opensearch/.well-known/openid-configuration"
            openid_connect_idp.pemtrustedcas_filepath: "/usr/share/opensearch/config/keycloak.crt"
            openid_connect_idp.enable_ssl: true
            skip_users:
            - "kibanaro"
            - "kibanaserver"
            - "logstash"
            - "adminp"
            - "fliebeat_internal"
            - "kibanauser"
        authentication_backend:
          type: "noop"

In my config I use roles as roles_key.

Can you share your JWT token?

pablo · May 4, 2025, 8:01am

Did you test with this value?

This is my OpenId client export.

{
  "clientId": "docker2-openid",
  "name": "",
  "description": "",
  "rootUrl": "https://docker2.pablo.local:5601",
  "adminUrl": "https://docker2.pablo.local:5601",
  "baseUrl": "",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [
    "https://docker2.pablo.local:5601/*"
  ],
  "webOrigins": [
    "https://docker2.pablo.local:5601"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": false,
  "publicClient": true,
  "frontchannelLogout": false,
  "protocol": "openid-connect",
  "attributes": {
    "post.logout.redirect.uris": "+",
    "oauth2.device.authorization.grant.enabled": "false",
    "backchannel.logout.revoke.offline.tokens": "false",
    "use.refresh.tokens": "true",
    "tls-client-certificate-bound-access-tokens": "false",
    "realm_client": "false",
    "oidc.ciba.grant.enabled": "false",
    "backchannel.logout.session.required": "true",
    "client_credentials.use_refresh_token": "false",
    "acr.loa.map": "{}",
    "require.pushed.authorization.requests": "false",
    "display.on.consent.screen": "false",
    "token.response.type.bearer.lower-case": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "web-origins",
    "roles",
    "profile",
    "basic",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "groups",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

Topic		Replies	Views
Using KeyCloak RBAC/ABAC in OpenSearch Security security-issue	29	2066	April 30, 2025
Unauthorized error 401 while accessing app using sso oidc OpenSearch security-issue	7	192	December 10, 2024
OpenID not working with OpenSearch >= 2.7.0 when passing roles from Keycloak Security	5	586	August 22, 2023
OIDC SSO configured through helm not working Security troubleshoot , configure	4	54	December 9, 2024
OpenID Keycloak working with OpenSearch 2.11.1 but not passing roles Security discuss , troubleshoot , configure	2	531	January 2, 2024

Keycloak integration

Related topics