Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.8
Describe the issue: OIDC doesn’t work using the JWT token (token is valid, can be decoded with jwt.io) submitted directly to the OS via
$ curl -k -H "Authorization: Bearer $token" --noproxy "*" https://localhost:9200
Authentication finally failed
If I put OIDC in the first place (order: 0
) for backends and generate the correct JWT it works with a curl.
$ token="eyJrM3NTGciOiJSU...b9cGJ...YUPBBb1UkG0LJ_bpqE...y-VJqUgs979T91cQ"
$ curl -k -H "Authorization: Bearer $token" --noproxy "*" https://localhost:9200
{
"name" : "opensearch-cluster-hot-0",
"cluster_name" : "opensearch-cluster",
or OSD
{"type":"log","@timestamp":"2023-10-12T08:49:57Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Response Error: 401 Unauthorized"}
{"type":"response","@timestamp":"2023-10-12T08:49:57Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?code=CODE&state=STATE"......
OSD still throws 401 w/o any message with
logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = TRACE
Configuration:
OS
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
subject_key: preferred_username
roles_key: groups
openid_connect_url: https://auth.domain.com/ID/as/.well-known/openid-configuration
authentication_backend:
type: noop
OSD
opensearchDashboards.branding.useExpandedHeader: false
opensearch_security.auth.type: [ "basicauth","openid" ]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.connect_url: https://auth.domain.com/ID/as/.well-known/openid-configuration
opensearch_security.openid.client_id: client_id
opensearch_security.openid.client_secret: client_secret
opensearch_security.openid.trust_dynamic_headers: true
opensearch_security.openid.scope: "openid profile email address phone groups"
Same OIDC parameters works fine grafana/argocd/etc… in the same env
Installed in k8s using sts for OS and deployment for OSD. OS <> OSD communicates using service, OSD <> internet behind nginx ingress.