Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch, OpenSearch Dashboard versions: tried with 2.3.0 and 2.4.1
Describe the issue:
Hi all,
I’ve configured both OpenSearch and OpenSearch Dashboards to use OIDC for authentication with the token passed in the URL.
When I try to get a page passing the JWT token in the Authorization header, all it’s working well.
When I try to pass the same token in the URL, i.e. http://localhost:5601/app/home?jwt={{access_token}} , I’m redirected to the login page.
In the following there are my configurations, could you please help me?
Thank you very much!
Configuration:
opensearch_dashboards.yml
server.host: 0.0.0.0
opensearch.hosts: [https://localhost:9200]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: none
opensearch_security.cookie.secure: false
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth", "openid"]
opensearch_security.openid.connect_url: my-oidc-well-known
opensearch_security.openid.client_id: my-client-id
opensearch_security.openid.client_secret: my-client-secret
opensearch_security.openid.scope: my-scope
opensearch_security.openid.base_redirect_url: http://localhost:5601/app/home
opensearch.requestHeadersAllowlist: ["Authorization"]
GET _plugins/_security/api/securityconfig
{
"config" : {
"dynamic" : {
"filtered_alias_mode" : "warn",
"disable_rest_auth" : false,
"disable_intertransport_auth" : false,
"respect_request_indices_options" : false,
"kibana" : {
"multitenancy_enabled" : true,
"server_username" : "kibanaserver",
"index" : ".kibana"
},
"http" : {
"anonymous_auth_enabled" : false,
"xff" : {
"enabled" : false,
"internalProxies" : """10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}""",
"remoteIpHeader" : "X-Forwarded-For"
}
},
"authc" : {
"openid_auth_domain" : {
"http_enabled" : true,
"transport_enabled" : true,
"order" : 1,
"http_authenticator" : {
"challenge" : false,
"type" : "openid",
"config" : {
"subject_key" : "sub",
"roles_key" : "roles",
"jwt_url_parameter" : "jwt",
"openid_connect_url" : "my-oidc-well-known"
}
},
"authentication_backend" : {
"type" : "noop",
"config" : { }
},
"description" : "Authenticate via OIDC"
},
"basic_internal_auth_domain" : {
"http_enabled" : true,
"transport_enabled" : true,
"order" : 0,
"http_authenticator" : {
"challenge" : false,
"type" : "basic",
"config" : { }
},
"authentication_backend" : {
"type" : "intern",
"config" : { }
},
"description" : "Authenticate via HTTP Basic against internal users database"
}
},
"authz" : { },
"auth_failure_listeners" : { },
"do_not_fail_on_forbidden" : false,
"multi_rolespan_enabled" : true,
"hosts_resolver_mode" : "ip-only",
"do_not_fail_on_forbidden_empty" : false
}
}
}
Relevant Logs or Screenshots:
opensearch-dashboards | {“type”:“response”,“@timestamp”:“2023-01-18T13:29:59Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:302,“req”:{“url”:“/app/home?jwt={{access_token}}”,“method”:“get”,“headers”:{“user-agent”:“PostmanRuntime/7.30.0”,“accept”:“/”,“cache-control”:“no-cache”,“host”:“localhost:5601”,“accept-encoding”:“gzip, deflate, br”,“connection”:“keep-alive”},“remoteAddress”:“172.21.0.1”,“userAgent”:“PostmanRuntime/7.30.0”},“res”:{“statusCode”:302,“responseTime”:269,“contentLength”:9},“message”:“GET /app/home?jwt={{access_token}} 302 269ms - 9.0B”}