Hello,
I’m getting the following log entries, when i try to authenticate through my Duende IdentityServer 6. The token seems to be created correctly, but the authentication in OpenSearch Dashboards fails. The browser then stuck on the /auth/open/login page with code 302.
Is there a way to get more information on the error? The current message OpenId authentication failed: Error: Authentication Exception is pretty general.
I’m running the latest docker images of OpenSearch and OpenSearch Dashboards. The sites are accessed through a Nginx Reverse Proxy.
Please let me know if you need any additional information.
Log entries:
OpenSearch Dashboards
{
"type":"log",
"@timestamp":"2022-03-19T21:28:58Z",
"tags":[
"error",
"plugins",
"securityDashboards"
],
"pid":1,
"message":"OpenId authentication failed: Error: Authentication Exception"
}
{
"type":"response",
"@timestamp":"2022-03-19T21:28:58Z",
"tags":[
],
"pid":1,
"method":"get",
"statusCode":302,
"req":{
"url":"/auth/openid/login?code=***&scope=openid%20profile&state=***&session_state=***&iss=https%3A%2F%2Fidentity.***",
"method":"get",
"headers":{
"host":"dashboard.***",
"x-forwarded-scheme":"https",
"x-forwarded-proto":"https",
"x-forwarded-for":"***",
"x-real-ip":"***",
"connection":"close",
"user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"accept-language":"en-US,en;q=0.5",
"accept-encoding":"gzip, deflate, br",
"upgrade-insecure-requests":"1",
"sec-fetch-dest":"document",
"sec-fetch-mode":"navigate",
"sec-fetch-site":"cross-site",
"sec-fetch-user":"?1"
},
"remoteAddress":"***",
"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0"
},
"res":{
"statusCode":302,
"responseTime":19,
"contentLength":9
},
"message":"GET /auth/openid/login?code=***&scope=openid%20profile&state=***&session_state=***&iss=https%3A%2F%2Fidentity.*** 302 19ms - 9.0B"
}
{
"type":"response",
"@timestamp":"2022-03-19T21:28:58Z",
"tags":[
],
"pid":1,
"method":"get",
"statusCode":302,
"req":{
"url":"/auth/openid/login",
"method":"get",
"headers":{
"host":"dashboard.***",
"x-forwarded-scheme":"https",
"x-forwarded-proto":"https",
"x-forwarded-for":"***",
"x-real-ip":"***",
"connection":"close",
"user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"accept-language":"en-US,en;q=0.5",
"accept-encoding":"gzip, deflate, br",
"upgrade-insecure-requests":"1",
"sec-fetch-dest":"document",
"sec-fetch-mode":"navigate",
"sec-fetch-site":"cross-site",
"sec-fetch-user":"?1"
},
"remoteAddress":"***",
"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0"
},
"res":{
"statusCode":302,
"responseTime":1,
"contentLength":9
},
"message":"GET /auth/openid/login 302 1ms - 9.0B"
}
IdentityServer
{
"ClientId":"***",
"ClientName":null,
"RedirectUri":"https://dashboard.***/auth/openid/login",
"Endpoint":"Authorize",
"SubjectId":"***",
"Scopes":"openid profile",
"GrantType":"authorization_code",
"Tokens":[
{
"TokenType":"code",
"TokenValue":"***",
"$type":"Token"
}
],
"Category":"Token",
"Name":"Token Issued Success",
"EventType":"Success",
"Id":2000,
"Message":null,
"ActivityId":"0HMG9QGVMRA15:00000002",
"TimeStamp":"2022-03-19T21:28:58.0000000Z",
"ProcessId":1,
"LocalIpAddress":"***",
"RemoteIpAddress":"***",
"$type":"TokenIssuedSuccessEvent"
}
Configurations
Opensearch securityconfig/config.yml
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: name
roles_key: role
openid_connect_url: https://identity.***/.well-known/openid-configuration
authentication_backend:
type: noop
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
usersearch: '(uid={0})'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
OpenSearch Dashboards opensearch_dashboards.yml
server.host: '0'
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://identity.***/.well-known/openid-configuration"
opensearch_security.openid.client_id: "***"
opensearch_security.openid.client_secret: "***"
opensearch_security.openid.scope: "openid profile"
opensearch_security.openid.base_redirect_url: "https://dashboard.***/"
Thanks a lot in advance.