OIDC config - getting errors that config keys don't exist

AdiD · March 9, 2023, 1:03am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5.0

Describe the issue:
I copied the config exactly as it’s shown on the documentation for 2.5.0:

I use Azure so i replaced the url with the proper one from my azure app.
Opensearch doesn’t start and i get a bunch of errors that all the keys used in this config like roles_key, subject_key, transport_enabled etc are not recognized:
java.lang.IllegalArgumentException: unknown setting [openid_auth_domain.http_authenticator.config.openid_connect_url]
I have one of this error for each key basically.

The security plugin is installed, it appears if i do a list.
This is very weird. This is the most basic config from the docu but opensearch basically doesn’t recognize it.

Configuration:

openid_auth_domain:
  http_enabled: true
  transport_enabled: true
  order: 0
  http_authenticator:
    type: openid
    challenge: false
    config:
      subject_key: preferred_username
      roles_key: roles
      openid_connect_url: https://my-azure-app/.well-known/openid-configuration
  authentication_backend:
    type: noop

Relevant Logs or Screenshots:
java.lang.IllegalArgumentException: unknown setting [openid_auth_domain.http_authenticator.config.openid_connect_url]
unknown setting [openid_auth_domain.http_authenticator.config.roles_key]
unknown setting [openid_auth_domain.http_authenticator.config.subject_key]
unknown setting [openid_auth_domain.transport_enabled]
unknown setting [openid_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

Eugene7 · March 9, 2023, 11:48am

Hi @AdiD !

Could you please specify which directory and file you used?

AdiD · March 9, 2023, 1:38pm

Hi @Eugene7 ,

I have used config/opensearch.yml

Eugene7 · March 9, 2023, 1:56pm

This configuration should be added to the file:
../../config/opensearch-security/config.yml

AdiD · March 9, 2023, 4:08pm

Thank you, @Eugene7 , that seems to be the correct place.
I’ve put it in config/opensearch-security/config.yml under authc: and opensearch starts.

i’ve tried to test the integration though with a curl:

curl -v -u "<client_id>:<client_secret"-" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials" "https://hostname:port/_opendistro/_security/authenticate" -k

And I get {“error”:“no handler found for uri [/_opendistro/_security/authenticate] and method [POST]”}

Seems like it doesn’t know this endpoint. It is not the correct endpoint to check if the integration succeeded?

Regards,
Adrian

Eugene7 · March 10, 2023, 4:17pm

You missed the Authentication header where you put the bearer. Please try to execute the commands below:

1. RESULT=$( curl -k --noproxy '*' -d 'client_id=<client_id>' -d 'username=<username>' -d 'grant_type=password' -d 'client_secret=<client_secret>' -d 'scope=openid' 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token' -d 'password=<password>')
2. TOKEN=$(echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/')
3. curl --insecure -H "Authorization: Bearer $TOKEN" https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize
4. curl --insecure -H "Authorization: Bearer $TOKEN" https://<opensearch_node>:9200