OIDC doesn't work

kaliha · October 12, 2023, 11:16am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.8

Describe the issue: OIDC doesn’t work using the JWT token (token is valid, can be decoded with jwt.io) submitted directly to the OS via

$ curl -k -H "Authorization: Bearer $token"  --noproxy "*" https://localhost:9200
Authentication finally failed

If I put OIDC in the first place (order: 0) for backends and generate the correct JWT it works with a curl.

$ token="eyJrM3NTGciOiJSU...b9cGJ...YUPBBb1UkG0LJ_bpqE...y-VJqUgs979T91cQ"
$ curl -k -H "Authorization: Bearer $token"  --noproxy "*" https://localhost:9200
{
  "name" : "opensearch-cluster-hot-0",
  "cluster_name" : "opensearch-cluster",

or OSD

{"type":"log","@timestamp":"2023-10-12T08:49:57Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Response Error: 401 Unauthorized"}
{"type":"response","@timestamp":"2023-10-12T08:49:57Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?code=CODE&state=STATE"......

OSD still throws 401 w/o any message with

logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = TRACE

Configuration:
OS

    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
            subject_key: preferred_username
            roles_key: groups
            openid_connect_url: https://auth.domain.com/ID/as/.well-known/openid-configuration
        authentication_backend:
          type: noop

OSD

    opensearchDashboards.branding.useExpandedHeader: false
    opensearch_security.auth.type: [ "basicauth","openid" ]
    opensearch_security.auth.multiple_auth_enabled: true
    opensearch_security.openid.connect_url: https://auth.domain.com/ID/as/.well-known/openid-configuration
    opensearch_security.openid.client_id: client_id
    opensearch_security.openid.client_secret: client_secret
    opensearch_security.openid.trust_dynamic_headers: true
    opensearch_security.openid.scope: "openid profile email address phone groups"

Same OIDC parameters works fine grafana/argocd/etc… in the same env

Installed in k8s using sts for OS and deployment for OSD. OS <> OSD communicates using service, OSD <> internet behind nginx ingress.

kaliha · October 16, 2023, 10:52am

Resolved with:

enable Post as token auth method
set oidc as 0 order for authc
add authz

    authz:
      test:
        description: "Authorize"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: noop

Topic		Replies	Views
Unauthorized using azure oidc jwt OpenSearch security-issue	5	284	June 22, 2023
OpenId Connect authentication using jwt_url_parameter Security	1	405	January 26, 2023
OIDC Integration: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} Security configure	7	1254	April 26, 2023
Problems with Keycloak OpenID Connect and Dashboards Security	3	606	July 4, 2023
"statusCode":401 while redirecting back to opensearch-dashboard using OIDC Security troubleshoot , configure	5	383	March 26, 2024

OIDC doesn't work

Related Topics