Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): v3.5
Describe the issue:
What is the impact of http_enabled and transport_enabled flag in jwt_auth_domain configuration?
How can I use the Authorization header when accessing dashboards through a browser? I am able to access it using the Authorization header via curl, but when using a browser, I currently have to pass the token as a query parameter. I would like to use the Authorization header instead of the token parameter when accessing dashboards through the browser.
response=$(curl -k https://dashboards.$NAMESPACE.svc.cluster.local:5601$dashbooard_request -H āosd-xsrf: trueā -H āContent-type: application/jsonā -d ā{āattributesā: {ātitleā : ālog-testā}}ā -H āAuthorization: Bearer $tokenā --write-out ā%{http_code}ā -o $tempfile)
pablo
February 23, 2026, 9:16am
2
shubtiwa:
How can I use the Authorization header when accessing dashboards through a browser? I am able to access it using the Authorization header via curl, but when using a browser, I currently have to pass the token as a query parameter. I would like to use the Authorization header instead of the token parameter when accessing dashboards through the browser.
You could use a JWT token inside the URL
https://docker1.pablo.local:5601/goto/0c74539251a21ceb4a9cba38a79ef377?mytoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjJ9.zeEgRjPg8oRJrfA5iLinbBW-I8-akmfkg3NZAxHIMs8&security_tenant=global
Alternatively, a browser plugin called Mod Header.
1 Like
pablo
February 23, 2026, 9:22am
3
@shubtiwa Regarding the http_enabled and transport_enabled.
http_enabled enables authentication domain on the HTTP endpoint (9200).
opened 01:21PM - 16 Aug 23 UTC
closed 04:34PM - 03 Feb 26 UTC
bug
good first issue
triaged
Since OpenSearch 2.0, support for the transport client has been removed. The traā¦ nsport client was removed from the security plugin in this PR: https://github.com/opensearch-project/security/pull/1701
My understanding of `transport_enabled` is that it is used to enable an auth domain for authentication on the transport layer. There is a separate setting called `http_enabled` to enable the auth domain on the REST layer. This setting also appears to be applicable to authorizers in the `authz` section.
Below is an example of a basic auth entry in the `authc:` section of the security plugin's `config.yml` file from the demo configuration:
```
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
```
The `transport_enabled` setting may not be needed here after the TransportClient's removal.
First: Determine if it is safe to remove values from settings.
Second: If safe to remove, remove. If not, update documentation.
Thanks @pablo . So can I remove transport_enabled` flag from the jwt_auth_configuration since I am using Opensearch version 3.5 ?
pablo
February 23, 2026, 5:58pm
5
@shubtiwa Iāve tested JWT without transport_enabled in config.yml and it runs with no issues.