Okta openid troubleshooting roles and not logging

I am trying to get auth with okta openid setup. I am able to authenticate but roles/groups aren’t coming across. When trying to enable logging with adding the example logger to log4j2.properties does nothing.

logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = trace

I am using the default docker-compose.yaml with 1.3.0 or 1.3.1. The only message that I have been able to get is

Mar 28 14:44:55 opensearch[24768]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Mar 28 14:45:07  opensearch[24768]: WARNING: An illegal reflective access operation has occurred
Mar 28 14:45:07 opensearch[24768]: WARNING: Illegal reflective access by org.opensearch.security.support.Base64Helper$DescriptorNameSetter (file:/usr/share/opensearch/opensearch-1.3.0/plugins/opensearch-security/opensearch-security-1.3.0.0.jar) to field java.io.ObjectStreamClass.name
Mar 28 14:45:07 opensearch[24768]: WARNING: Please consider reporting this to the maintainers of org.opensearch.security.support.Base64Helper$DescriptorNameSetter
Mar 28 14:45:07 opensearch[24768]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Mar 28 14:45:07 opensearch[24768]: WARNING: All illegal access operations will be denied in a future release

Any suggestions on getting the docker-compose.yml to log openid events?

@ericallen Could you share your config.yml file?

yup.

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /etc/opensearch/ssl/digicert_global_root_ca.pem
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://subdomain.okta.com/.well-known/openid-configuration
        authentication_backend:
          type: noop

I changed out the subdomain.okta.com in the openid_connect_url. But it is correct in the file.

@ericallen OKTA is using externally trusted certificates so you don’t need to configure the pemtrustedcas_filepath option. It’s required when IDP is using self-signed certificates.
You can drop the openid_connect_idp section then too.

In regards to roles_key, have you configured claim roles in Authorization Servers? You need that to pass the roles.

I have setup the roles claim in okta. But they aren’t mapping to backend roles in opensearch. So I have been trying to get logging enabled to see what the response is. To make sure I am not misspelling something in the backend role or to make sure that the roles are truly coming over from okta correctly. Mostly just flying blind trying map the roles together.

I will try it without the openid_connect_idp section.

@ericallen Can you send a screenshot of your roles claim?

@ericallen Mine is configured in API → Authorization Server → default → Claims

image1031×634 19.8 KB

image714×575 20.2 KB

@ericallen This is my OpenID Connect ID Token

image700×338 18.8 KB

No change in the roles. Still can’t get anything to map and match a role mapping. Is there anything else that needs to be done to allow the claim to be released?

@ericallen What do you see in the user’s roles in OpenSearch Dashboards?