KeyCloak (OpenID) authentication issue for OpenSearch Dashboards

Versions: OpenSearch 2.6 on Oracle Linux 8.5

Describe the issue: KeyCloak (OpenID) authentication issue for OpenSearch Dashboards :

Error Message: {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}


Development environment with single OpenSearch node with OpenSearch Dashboard also installed

OpenID integration with Keycloak 8.02

Relevant Logs or Screenshots:



Keycloak Config

** Error **

I’m getting this error message after authenticating using Keycloak, any ideas on what could be wrong here?

@Amith Did you get this issue solved? If not could you confirm the Keycloak version? Is it 8.02?

We tried updating our keycloak to version 21.0.1 and below are my current configs, but still getting the same error… @pablo

opensearch.hosts: ["","",""]
#opensearch.hosts: ["https://localhost:9200"]
server.port: 5601
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/apps/opensearch-2.6.0/config/root-ca.pem"]
server.ssl.enabled: true
server.ssl.certificate: /apps/opensearch-2.6.0/config/runops_chain.crt
server.ssl.key: /apps/opensearch-2.6.0/config/runops_wildcardkey.key
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https true
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.client_id: "opensearch-prod"
opensearch_security.openid.connect_url: ""
opensearch_security.openid.client_secret: "q4Jc7DvenZKiw6zWb5hFzsaXelXe4g4j"
opensearch_security.openid.root_ca: "/apps/opensearch-2.6.0/config/runops_chain.crt"
opensearch_security.openid.base_redirect_url: ""

  type: "config"
  config_version: 2

    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    # Kibana multitenancy
    #multitenancy_enabled: true
    #server_username: kibanaserver
    #index: '.kibana'
      anonymous_auth_enabled: false
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
        ###### see for regex help
        ###### more information about XFF
        ###### and here
        ###### and
       description: "Authenticate via HTTP Basic against internal users database"
       http_enabled: true
       transport_enabled: true
       order: 0
         type: basic
         challenge: false
          type: internal
        http_enabled: true
        transport_enabled: true
        order: 1
          type: openid
          challenge: false
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: ""
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: "/apps/opensearch-2.6.0/config/runops_chain.pem"
          type: noop

Hey @Amith

I have keycloak also, i didnt see

Valid redirect URIs

I managed to solve the Keycloak authentication issue, it was just me being stupid by not running the after I made the changes. But now I’m facing a new issue where the roles I assign in Keycloak are not being reflected on OpenSearch Dashboards side. I have tried assigning both realm roles and client roles but none seems to work… Any suggestions?

@Gsmitt @pablo

Hey @Amith

Thats where Im at now :laughing:. I got side tracked and didnt finish. Being the weekend I probably wont get around to it till next week.

Hey @Amith

This might help, I found this post.