OpenId configuration with own Duende IdentityServer - Authentication Exception

Hello,

I’m getting the following log entries, when i try to authenticate through my Duende IdentityServer 6. The token seems to be created correctly, but the authentication in OpenSearch Dashboards fails. The browser then stuck on the /auth/open/login page with code 302.

Is there a way to get more information on the error? The current message OpenId authentication failed: Error: Authentication Exception is pretty general.

I’m running the latest docker images of OpenSearch and OpenSearch Dashboards. The sites are accessed through a Nginx Reverse Proxy.

Please let me know if you need any additional information.

Log entries:
OpenSearch Dashboards

{
    "type":"log",
    "@timestamp":"2022-03-19T21:28:58Z",
    "tags":[
       "error",
       "plugins",
       "securityDashboards"
    ],
    "pid":1,
    "message":"OpenId authentication failed: Error: Authentication Exception"
 }
 {
    "type":"response",
    "@timestamp":"2022-03-19T21:28:58Z",
    "tags":[
       
    ],
    "pid":1,
    "method":"get",
    "statusCode":302,
    "req":{
       "url":"/auth/openid/login?code=***&scope=openid%20profile&state=***&session_state=***&iss=https%3A%2F%2Fidentity.***",
       "method":"get",
       "headers":{
          "host":"dashboard.***",
          "x-forwarded-scheme":"https",
          "x-forwarded-proto":"https",
          "x-forwarded-for":"***",
          "x-real-ip":"***",
          "connection":"close",
          "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
          "accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
          "accept-language":"en-US,en;q=0.5",
          "accept-encoding":"gzip, deflate, br",
          "upgrade-insecure-requests":"1",
          "sec-fetch-dest":"document",
          "sec-fetch-mode":"navigate",
          "sec-fetch-site":"cross-site",
          "sec-fetch-user":"?1"
       },
       "remoteAddress":"***",
       "userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0"
    },
    "res":{
       "statusCode":302,
       "responseTime":19,
       "contentLength":9
    },
    "message":"GET /auth/openid/login?code=***&scope=openid%20profile&state=***&session_state=***&iss=https%3A%2F%2Fidentity.*** 302 19ms - 9.0B"
 }
 {
    "type":"response",
    "@timestamp":"2022-03-19T21:28:58Z",
    "tags":[
       
    ],
    "pid":1,
    "method":"get",
    "statusCode":302,
    "req":{
       "url":"/auth/openid/login",
       "method":"get",
       "headers":{
          "host":"dashboard.***",
          "x-forwarded-scheme":"https",
          "x-forwarded-proto":"https",
          "x-forwarded-for":"***",
          "x-real-ip":"***",
          "connection":"close",
          "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
          "accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
          "accept-language":"en-US,en;q=0.5",
          "accept-encoding":"gzip, deflate, br",
          "upgrade-insecure-requests":"1",
          "sec-fetch-dest":"document",
          "sec-fetch-mode":"navigate",
          "sec-fetch-site":"cross-site",
          "sec-fetch-user":"?1"
       },
       "remoteAddress":"***",
       "userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0"
    },
    "res":{
       "statusCode":302,
       "responseTime":1,
       "contentLength":9
    },
    "message":"GET /auth/openid/login 302 1ms - 9.0B"
 }

IdentityServer

 {
    "ClientId":"***",
    "ClientName":null,
    "RedirectUri":"https://dashboard.***/auth/openid/login",
    "Endpoint":"Authorize",
    "SubjectId":"***",
    "Scopes":"openid profile",
    "GrantType":"authorization_code",
    "Tokens":[
       {
          "TokenType":"code",
          "TokenValue":"***",
          "$type":"Token"
       }
    ],
    "Category":"Token",
    "Name":"Token Issued Success",
    "EventType":"Success",
    "Id":2000,
    "Message":null,
    "ActivityId":"0HMG9QGVMRA15:00000002",
    "TimeStamp":"2022-03-19T21:28:58.0000000Z",
    "ProcessId":1,
    "LocalIpAddress":"***",
    "RemoteIpAddress":"***",
    "$type":"TokenIssuedSuccessEvent"
 }

Configurations
Opensearch securityconfig/config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: name
            roles_key: role
            openid_connect_url: https://identity.***/.well-known/openid-configuration
        authentication_backend:
          type: noop
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(uid={0})'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap

OpenSearch Dashboards opensearch_dashboards.yml

server.host: '0'
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false

opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://identity.***/.well-known/openid-configuration"
opensearch_security.openid.client_id: "***"
opensearch_security.openid.client_secret: "***"
opensearch_security.openid.scope: "openid profile"
opensearch_security.openid.base_redirect_url: "https://dashboard.***/"

Thanks a lot in advance.

@thoenissen Can you try the below.

  1. Change the order in config.yml. Set basicauth as 0 and openid as 1
  2. Change challenge in both to false.

Do you use self-signed TLS certificates in your IDP?

I changed the configuration and successfully imported it with securityadmin.sh and restarted all services, but it didn’t change anything.

The IDP is accessed through the Reverse Proxy which is using Let’s Encrypt certificates. Internal I am currently using HTTP. I didn’t configure the signing of the tokens and it is running with the default configuration.

Is there a way to get more information on the error? The current message OpenId authentication failed: Error: Authentication Exception is pretty general.

Seconding this. How does one increase the verbosity of OpenSearch Dashboards? I’ve been attempting to get OpenID working with Keycloak as an IdP, and despite the recommendations in this post and several others I’m getting redirect loops. Hoping to get more info from more verbose logs.