@pablo I add some debug log in the js. it always goto unauthorized way.
log [15:12:47.791] [debug][metrics] Refreshing metrics
log [15:12:48.726] [debug][plugins][securityDashboards] openId auth requestIncludesAuthInfo: undefined
log [15:12:48.727] [debug][server][OpenSearchDashboards][cookie-session-storage][http] Error: Unauthorized
log [15:12:48.728] [debug][plugins][securityDashboards] Auth header cookie: null
log [15:12:48.728] [debug][plugins][securityDashboards] UnauthedRequest send to auth workflow /
log [15:12:48.728] [debug][plugins][securityDashboards] request.url.pathname is:
log [15:12:48.728] [debug][plugins][securityDashboards] /
log [15:12:48.729] [debug][plugins][securityDashboards] this.isPageRequest is:
log [15:12:48.729] [debug][plugins][securityDashboards] true
respons [15:12:48.722] GET / 302 13ms - 9.0B
ops [15:12:48.736] memory: 83.9MB uptime: 0:00:39 load: [0.10 0.12 0.09] delay: 0.188
log [15:12:48.779] [debug][plugins][securityDashboards] openId auth requestIncludesAuthInfo: undefined
log [15:12:48.779] [debug][server][OpenSearchDashboards][cookie-session-storage][http] Error: Unauthorized
log [15:12:48.779] [debug][plugins][securityDashboards] Auth header cookie: null
log [15:12:48.780] [debug][plugins][securityDashboards] UnauthedRequest send to auth workflow /auth/openid/login
log [15:12:48.780] [debug][plugins][securityDashboards] request.url.pathname is:
log [15:12:48.780] [debug][plugins][securityDashboards] /auth/openid/login
log [15:12:48.780] [debug][plugins][securityDashboards] this.isPageRequest is:
log [15:12:48.780] [debug][plugins][securityDashboards] false
log [15:12:48.780] [debug][plugins][securityDashboards] UnauthedRequest
respons [15:12:48.777] GET /auth/openid/login 401 5ms - 9.0B
log [15:12:48.860] [debug][plugins][securityDashboards] openId auth requestIncludesAuthInfo: undefined
log [15:12:48.861] [debug][server][OpenSearchDashboards][cookie-session-storage][http] Error: Unauthorized
log [15:12:48.861] [debug][plugins][securityDashboards] Auth header cookie: null
log [15:12:48.861] [debug][plugins][securityDashboards] UnauthedRequest send to auth workflow /favicon.ico
log [15:12:48.862] [debug][plugins][securityDashboards] request.url.pathname is:
log [15:12:48.862] [debug][plugins][securityDashboards] /favicon.ico
log [15:12:48.862] [debug][plugins][securityDashboards] this.isPageRequest is:
log [15:12:48.862] [debug][plugins][securityDashboards] false
log [15:12:48.862] [debug][plugins][securityDashboards] UnauthedRequest
respons [15:12:48.859] GET /favicon.ico 401 4ms - 9.0B
it seems the router not go to : authorizationEndpoint.
public setupRoutes() {
this.router.get(
{
path: `/auth/openid/login`,
validate: {
query: schema.object(
{
code: schema.maybe(schema.string()),
nextUrl: schema.maybe(
schema.string({
validate: validateNextUrl,
})
),
state: schema.maybe(schema.string()),
refresh: schema.maybe(schema.string()),
},
{
unknowns: 'allow',
}
),
},
options: {
authRequired: false,
},
},
async (context, request, response) => {
// implementation refers to https://github.com/hapijs/bell/blob/master/lib/oauth.js
// Sign-in initialization
if (!request.query.code) {
const nonce = randomString(OpenIdAuthRoutes.NONCE_LENGTH);
const query: any = {
client_id: this.config.openid?.client_id,
response_type: 'code',
redirect_uri: `${getBaseRedirectUrl(
this.config,
this.core,
request
)}/auth/openid/login`,
state: nonce,
scope: this.openIdAuthConfig.scope,
};
const queryString = stringify(query);
const location = `${this.openIdAuthConfig.authorizationEndpoint}?${queryString}`;
const cookie: SecuritySessionCookie = {
oidc: {
state: nonce,
nextUrl: request.query.nextUrl || '/',
},
};
this.sessionStorageFactory.asScoped(request).set(cookie);
return response.redirected({
headers: {
location,
},
});
}
// Authentication callback
// validate state first
let cookie;
try {
cookie = await this.sessionStorageFactory.asScoped(request).get();
if (
!cookie ||
!cookie.oidc?.state ||
cookie.oidc.state !== (request.query as any).state
) {
return this.redirectToLogin(request, response);
}
} catch (error) {
return this.redirectToLogin(request, response);
}
const nextUrl: string = cookie.oidc.nextUrl;
const clientId = this.config.openid?.client_id;
const clientSecret = this.config.openid?.client_secret;
const query: any = {
grant_type: 'authorization_code',
code: request.query.code,
redirect_uri: `${getBaseRedirectUrl(this.config, this.core, request)}/auth/openid/login`,
client_id: clientId,
client_secret: clientSecret,
};
try {
const tokenResponse = await callTokenEndpoint(
this.openIdAuthConfig.tokenEndpoint!,
query,
this.wreckClient
);
const user = await this.securityClient.authenticateWithHeader(
request,
this.openIdAuthConfig.authHeaderName as string,
`Bearer ${tokenResponse.idToken}`
);
// set to cookie
const sessionStorage: SecuritySessionCookie = {
username: user.username,
credentials: {
authHeaderValue: `Bearer ${tokenResponse.idToken}`,
expires_at: Date.now() + tokenResponse.expiresIn! * 1000, // expiresIn is in second
},
authType: 'openid',
expiryTime: Date.now() + this.config.session.ttl,
};
if (this.config.openid?.refresh_tokens && tokenResponse.refreshToken) {
Object.assign(sessionStorage.credentials, {
refresh_token: tokenResponse.refreshToken,
});
}
this.sessionStorageFactory.asScoped(request).set(sessionStorage);
return response.redirected({
headers: {
location: nextUrl,
},
});
} catch (error) {
context.security_plugin.logger.error(`OpenId authentication failed: ${error}`);
if (error.toString().toLowerCase().includes('authentication exception')) {
return response.unauthorized();
} else {
return this.redirectToLogin(request, response);
}
}
}
);