I am trying to get auth with okta openid setup. I am able to authenticate but roles/groups aren’t coming across. When trying to enable logging with adding the example logger to log4j2.properties does nothing.
I am using the default docker-compose.yaml with 1.3.0 or 1.3.1. The only message that I have been able to get is
Mar 28 14:44:55 opensearch[24768]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Mar 28 14:45:07 opensearch[24768]: WARNING: An illegal reflective access operation has occurred
Mar 28 14:45:07 opensearch[24768]: WARNING: Illegal reflective access by org.opensearch.security.support.Base64Helper$DescriptorNameSetter (file:/usr/share/opensearch/opensearch-1.3.0/plugins/opensearch-security/opensearch-security-1.3.0.0.jar) to field java.io.ObjectStreamClass.name
Mar 28 14:45:07 opensearch[24768]: WARNING: Please consider reporting this to the maintainers of org.opensearch.security.support.Base64Helper$DescriptorNameSetter
Mar 28 14:45:07 opensearch[24768]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Mar 28 14:45:07 opensearch[24768]: WARNING: All illegal access operations will be denied in a future release
@ericallen OKTA is using externally trusted certificates so you don’t need to configure the pemtrustedcas_filepath option. It’s required when IDP is using self-signed certificates.
You can drop the openid_connect_idp section then too.
In regards to roles_key, have you configured claim roles in Authorization Servers? You need that to pass the roles.
I have setup the roles claim in okta. But they aren’t mapping to backend roles in opensearch. So I have been trying to get logging enabled to see what the response is. To make sure I am not misspelling something in the backend role or to make sure that the roles are truly coming over from okta correctly. Mostly just flying blind trying map the roles together.
I will try it without the openid_connect_idp section.
No change in the roles. Still can’t get anything to map and match a role mapping. Is there anything else that needs to be done to allow the claim to be released?