I am trying to get auth with okta openid setup. I am able to authenticate but roles/groups aren’t coming across. When trying to enable logging with adding the example logger to log4j2.properties does nothing.
logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = trace
I am using the default docker-compose.yaml with 1.3.0 or 1.3.1. The only message that I have been able to get is
Mar 28 14:44:55 opensearch: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Mar 28 14:45:07 opensearch: WARNING: An illegal reflective access operation has occurred
Mar 28 14:45:07 opensearch: WARNING: Illegal reflective access by org.opensearch.security.support.Base64Helper$DescriptorNameSetter (file:/usr/share/opensearch/opensearch-1.3.0/plugins/opensearch-security/opensearch-security-22.214.171.124.jar) to field java.io.ObjectStreamClass.name
Mar 28 14:45:07 opensearch: WARNING: Please consider reporting this to the maintainers of org.opensearch.security.support.Base64Helper$DescriptorNameSetter
Mar 28 14:45:07 opensearch: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Mar 28 14:45:07 opensearch: WARNING: All illegal access operations will be denied in a future release
Any suggestions on getting the docker-compose.yml to log openid events?
@ericallen Could you share your config.yml file?
I changed out the subdomain.okta.com in the openid_connect_url. But it is correct in the file.
@ericallen OKTA is using externally trusted certificates so you don’t need to configure the
pemtrustedcas_filepath option. It’s required when IDP is using self-signed certificates.
You can drop the
openid_connect_idp section then too.
In regards to roles_key, have you configured claim
roles in Authorization Servers? You need that to pass the roles.
I have setup the roles claim in okta. But they aren’t mapping to backend roles in opensearch. So I have been trying to get logging enabled to see what the response is. To make sure I am not misspelling something in the backend role or to make sure that the roles are truly coming over from okta correctly. Mostly just flying blind trying map the roles together.
I will try it without the
@ericallen Can you send a screenshot of your
@ericallen Mine is configured in API → Authorization Server → default → Claims
@ericallen This is my OpenID Connect ID Token
No change in the roles. Still can’t get anything to map and match a role mapping. Is there anything else that needs to be done to allow the claim to be released?
@ericallen What do you see in the user’s roles in OpenSearch Dashboards?