OpenID connect issue with Azure AD

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): OpenSearch 2.5.0, Dashboard 2.5.0

Describe the issue:
When using OpenID connect to authenticate users to Azure AD, login is successful but users don’t get their email as username, instead they get sub ID from Azure and roles aren’t used.
The JWT token that should be returned is nowhere to be found when looking at cookies and header parameters passed during login, but when we logout the JWT token is returned as it should with all the info.

We have one node setup and i’ve put config files as well as screenshots where you can see that JWT token doesn’t show in login, but on logout i get it normally.

If anyone can help it would be great
Thanks in advance.

Configuration:
OpenSearch config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader:  'x-forwarded-for'
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: false
              verify_hostnames: false
              subject_key: preferred_username
              roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/${OPENSEARCH_TENANT_ID}/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch.yml file:

network.host: 0.0.0.0

plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.allow_unsafe_democertificates: true
plugins.security.cache.ttl_minutes: 0
plugins.security.authcz.admin_dn:
  - CN=ADMIN,OU=EXAMPLE,O=AUR,L=PARIS,ST=FRANCE,C=FR
  - "CN=${OPENSEARCH_DNS1},OU=AURA,O=AUR,L=PARIS,ST=FRANCE,C=FR"
plugins.security.nodes_dn:
  - 'CN=ADMIN-OS,OU=EXAMPLE,O=AUR,L=PARIS,ST=FRANCE,C=FR'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE

Relevant Logs or Screenshots:

Login auth parameters without JWT containing only some auth code

image
image1601×225 26.5 KB

2

@dandruf19 Have you found a solution to your issue? Your config has an incorrect indent.
subject_key and roles_key are at the same level as openid_connect_url.

Try this instead.

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/${OPENSEARCH_TENANT_ID}/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

Please, find the example here.