OIDC config - getting errors that config keys don't exist

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
I copied the config exactly as it’s shown on the documentation for 2.5.0:

I use Azure so i replaced the url with the proper one from my azure app.
Opensearch doesn’t start and i get a bunch of errors that all the keys used in this config like roles_key, subject_key, transport_enabled etc are not recognized:
java.lang.IllegalArgumentException: unknown setting [openid_auth_domain.http_authenticator.config.openid_connect_url]
I have one of this error for each key basically.

The security plugin is installed, it appears if i do a list.
This is very weird. This is the most basic config from the docu but opensearch basically doesn’t recognize it.


  http_enabled: true
  transport_enabled: true
  order: 0
    type: openid
    challenge: false
      subject_key: preferred_username
      roles_key: roles
      openid_connect_url: https://my-azure-app/.well-known/openid-configuration
    type: noop

Relevant Logs or Screenshots:
java.lang.IllegalArgumentException: unknown setting [openid_auth_domain.http_authenticator.config.openid_connect_url]
unknown setting [openid_auth_domain.http_authenticator.config.roles_key]
unknown setting [openid_auth_domain.http_authenticator.config.subject_key]
unknown setting [openid_auth_domain.transport_enabled]
unknown setting [openid_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

Hi @AdiD !

Could you please specify which directory and file you used?

Hi @Eugene7 ,

I have used config/opensearch.yml

This configuration should be added to the file:

Thank you, @Eugene7 , that seems to be the correct place.
I’ve put it in config/opensearch-security/config.yml under authc: and opensearch starts.

i’ve tried to test the integration though with a curl:

curl -v -u "<client_id>:<client_secret"-" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials" "https://hostname:port/_opendistro/_security/authenticate" -k

And I get {“error”:“no handler found for uri [/_opendistro/_security/authenticate] and method [POST]”}

Seems like it doesn’t know this endpoint. It is not the correct endpoint to check if the integration succeeded?


You missed the Authentication header where you put the bearer. Please try to execute the commands below:

1. RESULT=$( curl -k --noproxy '*' -d 'client_id=<client_id>' -d 'username=<username>' -d 'grant_type=password' -d 'client_secret=<client_secret>' -d 'scope=openid' 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token' -d 'password=<password>')
2. TOKEN=$(echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/')
3. curl --insecure -H "Authorization: Bearer $TOKEN" https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize
4. curl --insecure -H "Authorization: Bearer $TOKEN" https://<opensearch_node>:9200