OpenID not working with OpenSearch >= 2.7.0 when passing roles from Keycloak

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

working in 2.6, but not working with 2.7, 2.8 or 2.9
I am using the official Docker images with the official Helm Charts.

Edit: Keycloak version: 21.1.1

Describe the issue:

After upgrading from 2.6 and also with a fresh install of 2.7, 2.8 and 2.9, I cannot login with SSO anymore. After clicking on “Log In with single sign-on” it forwards to Keycloak, forwards back to OS Dashboards ( and then shows a 502 server error. I could not find any issue in the opensearch-dashboards or opensearch logs.

It works fine with the exact same configuration for OpenSearch 2.6. As soon as I remove the “User Realm Role” from the dedicated scope for the openid client in Keycloak (token claim name “member_of”), the SSO login works with >= 2.7 (but I’m then missing the realm roles of course)


Here are the relevant configs:

        description: "Authenticate via Keycloak SSO"
        http_enabled: true
        transport_enabled: false
        order: 1
          type: openid
          challenge: false
            subject_key: "preferred_username"
            roles_key: "member_of"
            openid_connect_url: ""
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: "/usr/share/opensearch/config/foo/bar-ca.pem"
    opensearch_dashboards.yml: |
        name: dashboards
        host: "{{ .Values.serverHost }}"
          enabled: false
        requestHeadersWhitelist: ["Authorization", "securitytenant"]
          verificationMode: full
          certificateAuthorities: ["/usr/share/opensearch-dashboards/config/cert/ca.crt"]
          type: ["openid", "basicauth"]
          multiple_auth_enabled: true
          connect_url: ""
          client_id: "{{ }}"
          client_secret: "{{ }}"
          scope: "openid profile email roles"
          base_redirect_url: "https://{{ }}"
          root_ca: "/usr/share/opensearch-dashboards/config/foo/bar-ca.pem"
          verify_hostnames: false

Relevant Logs or Screenshots:

Unfortunately, I cannot show a screenshot of Keycloak. As soon as I go to Keycloak > Clients > Client scopes > [client-name]-dedicated and turn off “Add to access token” of the “User Realm Role” with the Token Claim Name “member_of”, it works again (but as mentioned earlier, I need the realm roles).

@cinimins What’s the Keycloak’s version?

The Keycloak version is 21.1.1

@cinimins Haven’t tried 21.1.1 but OS 2.8 and 2.9 worked for me with 18 and 20.
I’ll test 21.

1 Like

I found the issue! It’s a problem with the buffer of the ingress controller in the kubernetes cluster. Apparently with OpenSearch >= 2.7 the size of the header must have increased and exceeded the default buffer size of the ingress controller.

1 Like

@cinimins Thanks for sharing the solution.