Need to troubleshoot 401 unauthorize error message in dashboard after login keycloack

vgarvit · September 12, 2023, 6:11am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch - 2.9.0
OpenSearch Dashboards - 2.9.0

Describe the issue:

Hello team,
I am configuring latest 2.9.0 versions of opensearch and opensearch-dashboard
but getting 401 unauthorized on dashboard UI and openid authentication failed in dashboard logs after logging in successfully by keyclock.
Any help would be appriciated.
thanks

opensearch_dashboard logs:

Configuration:

Opensearch config.yml —>

_meta:
type: “config”
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: “internal proxy”
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “intern”
openid_auth_domain:
description: “Authenticate via Keycloak OpenID”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: “openid”
challenge: false
config:
subject_key: “preferred_username”
roles_key: “roles”
openid_connect_url: “keyclock-url/.well-known/openid-configuration”
verify_hostnames: false
enable_ssl: false
authentication_backend:
type: “noop”
jwt_auth_domain:
description: “Authenticate via Json Web Token”
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: “jwt”
challenge: false
config:
signing_key: “base64 encoded HMAC key or public RSA/ECDSA pem key”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: “noop”
clientcert_auth_domain:
description: “Authenticate via SSL client certificates”
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: “clientcert”
config:
username_attribute: “cn”
challenge: false
authentication_backend:
type: “noop”
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “localhost:8389”
bind_dn: null
password: null
userbase: “ou=people,dc=example,dc=com”
usersearch: “(sAMAccountName={0})”
username_attribute: null
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “localhost:8389”
bind_dn: null
password: null
rolebase: “ou=groups,dc=example,dc=com”
rolesearch: “(member={0})”
userroleattribute: null
userrolename: “disabled”
rolename: “cn”
resolve_nested_roles: true
userbase: “ou=people,dc=example,dc=com”
usersearch: “(uid={0})”
roles_from_another_ldap:
description: “Authorize via another Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”

opensearch_dashboards.yml —>

Data

opensearch_dashboards.yml:

server.name: opensearch-dashboard
server.host: “::0”
opensearch.hosts: [“http://test-opensearch-master:9200”]
opensearch.ssl.verificationMode: none
opensearch.username: “kibanaserver”
opensearch.password: “kibanaserver”
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
server.basePath: “/testopensearch”
server.rewriteBasePath: “true”
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]

Use this setting if you are running opensearch-dashboards without https

opensearch_security.cookie.secure: false
opensearch_security.auth.type: openid
opensearch_security.openid.connect_url: keyclock-url/.well-known/openid-configuration
opensearch_security.openid.base_redirect_url: https://[ip:nodeport]/testopensearch
opensearch_security.openid.client_id: “id”
opensearch_security.openid.client_secret: “secret”
opensearch_security.openid.verify_hostnames: false
opensearch_security.openid.refresh_tokens: false

Relevant Logs or Screenshots:

pablo · October 6, 2023, 5:17pm

@vgarvit Have you found the solution?
If not, try adding the below line to your opensearch_dashboards.yml file.

opensearch_security.openid.scope: openid profile email

Did you configure User Realm Role in the Client Scopes?

Topic		Replies	Views
Hashicorp vault as identity provider 401 unauthorized OpenSearch	2	411	February 17, 2024
OpenSearch Dashboards returning 401 error when using Keycloak as IDP Security	11	2433	August 15, 2023
KeyCloak (OpenID) authentication issue for OpenSearch Dashboards Security troubleshoot	6	1451	June 24, 2023
Authorization issue using OpenID (Keycloak) Security	17	655	November 13, 2023
Opensearch dashboards getting No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic' when trying to login via SSO OpenSearch Dashboards	17	1378	January 16, 2024

Need to troubleshoot 401 unauthorize error message in dashboard after login keycloack

Data

opensearch_dashboards.yml:

Use this setting if you are running opensearch-dashboards without https

Related Topics