OpenId only works when it is before basic auth? Token expires sometimes?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.12

Describe the issue:
I have several issues with OpenId. The below configuration works, but i sometimes get kicked back to the login screen, where i just have to klick on SingleSignOn, and i am logged in without authentication.
While comparing my config with the config from the documentation, i realized:

• for basic auth the documentation says “type: internal”, but many configs have “type: intern” - does this make a difference?
• The documentation says, that basic auth has to be before OpenId. But when i swap the orders, i get a “unauthorized 401”. This is really confusing! What did i do wrong?
  For the dashboard i have the setting: opensearch_security.auth.type: ‘[“basicauth”,“openid”]’

Configuration:

          dynamic:
            http:
              anonymous_auth_enabled: false
            authc:
              basic_internal_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: "1"
                http_authenticator:
                  type: basic
                  challenge: true
                authentication_backend:
                  type: intern
              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: "0"
                http_authenticator:
                  type: openid
                  challenge: false
                  config:
                    subject_key: preferred_username
                    roles_key: groups
                    openid_connect_url: "https://keycloak.mydomain.de/realms/myrealm/.well-known/openid-configuration"
                authentication_backend:
                  type: noop

Hi @flo,

The “best practice” (in my personal opinion) is to set basic_internal_auth_domain.order: 1 and openid_auth_domain.order: 2 with openid_auth_domain.http_authenticator.challenge: true.
The reason being, that your “service” users (such as kibanaserver, admin, etc…) depend on basic_internal_auth_domain (let me know if that assumption is incorrect).

Sample:

          dynamic:
            http:
              anonymous_auth_enabled: false
            authc:
              basic_internal_auth_domain:
                http_enabled: true
                transport_enabled: true
                order:  1
                http_authenticator:
                  type: basic
                  challenge: false
                authentication_backend:
                  type: intern
              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 2
                http_authenticator:
                  type: openid
                  challenge: true
                  config:
                    subject_key: preferred_username
                    roles_key: groups
                    openid_connect_url: "https://keycloak.mydomain.de/realms/myrealm/.well-known/openid-configuration"
                authentication_backend:
                  type: noop

Best,
mj

What is the expiration on the JWT tokens generated by your IDP (I will assume “keycloak” in your case)?

You can also check here more advanced settings such as authentication caching: Security settings - OpenSearch Documentation

Let me know if you have any further questions.

Best,
mj

Ah, i just realized, that reading the Documentation about the “challenge” parameter helped me to understand, why my config was wrong.
Yes, i use keycloak and i have these settings - although i do not really understand the implications of these timeouts:
SSO Session Idle: 4h
SSO Session Max: 16h
Access Token Lifespan: 15min
Access Token Lifespan For Implicit Flow: 30min

Are these settings good/crap?

@flo, I would say neither good nor bad, just keep in mind you can adjust the “settings” to optimize the behaviour.

Best,
mj