OpenID not working with OpenSearch >= 2.7.0 when passing roles from Keycloak

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

working in 2.6, but not working with 2.7, 2.8 or 2.9
I am using the official Docker images with the official Helm Charts.

Edit: Keycloak version: 21.1.1

Describe the issue:

After upgrading from 2.6 and also with a fresh install of 2.7, 2.8 and 2.9, I cannot login with SSO anymore. After clicking on “Log In with single sign-on” it forwards to Keycloak, forwards back to OS Dashboards (https://opensearch-dashboards.foo/auth/openid/login?state=...&session_state=...) and then shows a 502 server error. I could not find any issue in the opensearch-dashboards or opensearch logs.

It works fine with the exact same configuration for OpenSearch 2.6. As soon as I remove the “User Realm Role” from the dedicated scope for the openid client in Keycloak (token claim name “member_of”), the SSO login works with >= 2.7 (but I’m then missing the realm roles of course)

Configuration:

Here are the relevant configs:

config:
  dynamic:
    authc:
      openid_auth_domain:
        description: "Authenticate via Keycloak SSO"
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: "preferred_username"
            roles_key: "member_of"
            openid_connect_url: "https://foo.bar/auth/realms/myrealm/.well-known/openid-configuration"
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: "/usr/share/opensearch/config/foo/bar-ca.pem"

  config:
    opensearch_dashboards.yml: |
      server:
        name: dashboards
        host: "{{ .Values.serverHost }}"
        ssl:
          enabled: false
      opensearch:
        requestHeadersWhitelist: ["Authorization", "securitytenant"]
        ssl:
          verificationMode: full
          certificateAuthorities: ["/usr/share/opensearch-dashboards/config/cert/ca.crt"]
      opensearch_security:
        auth:
          type: ["openid", "basicauth"]
          multiple_auth_enabled: true
        openid:
          connect_url: "https://foo.bar/auth/realms/myrealm/.well-known/openid-configuration"
          client_id: "{{ .Values.global.keycloak.clientId }}"
          client_secret: "{{ .Values.global.keycloak.clientSecret }}"
          scope: "openid profile email roles"
          base_redirect_url: "https://{{ .Values.global.opensearchDashboardsUrl }}"
          root_ca: "/usr/share/opensearch-dashboards/config/foo/bar-ca.pem"
          verify_hostnames: false

Relevant Logs or Screenshots:

Unfortunately, I cannot show a screenshot of Keycloak. As soon as I go to Keycloak > Clients > Client scopes > [client-name]-dedicated and turn off “Add to access token” of the “User Realm Role” with the Token Claim Name “member_of”, it works again (but as mentioned earlier, I need the realm roles).

2

@cinimins What’s the Keycloak’s version?

3

The Keycloak version is 21.1.1

4

@cinimins Haven’t tried 21.1.1 but OS 2.8 and 2.9 worked for me with 18 and 20.
I’ll test 21.

1 Like
5

I found the issue! It’s a problem with the buffer of the ingress controller in the kubernetes cluster. Apparently with OpenSearch >= 2.7 the size of the header must have increased and exceeded the default buffer size of the ingress controller.

1 Like
6

@cinimins Thanks for sharing the solution.