Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch & Dashboard 2.18.0
Cluster deployed using the Ansible playbook
Dashboard is behind Nginx proxy
Describe the issue:
I can't get OpenID working using Auth0 as IDP
.
Response Error: 403 Forbidden
OpenId authentication failed: Error: Authentication Exception
I can log in fine using the internal user DB.
I do get to the Auth0 login page, have verified the login is success.
After login I get redirected back to OpenSearch dashboard but OpenSearch fails with 403.
Dashboard Settings
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false
opensearch_security.auth.type: openid
opensearch_security.openid.base_redirect_url: "https://my-domain.au/opensearch"
opensearch_security.openid.client_id: "??????????????????????"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "??????????????????????????????"
opensearch_security.openid.connect_url: "https://something.auth0.com/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true
server.basePath: "/opensearch"
Security Config
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ".*"
remoteIpHeader: "x-forwarded-for"
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
description: "Authenticate via OpenID"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
enable_ssl: false
verify_hostnames: false
subject_key: name
roles_key: opensearch_roles
openid_connect_url: https://something.auth0.com/.well-known/openid-configuration
kibana_url: https://mydomain.com.au/opensearch
authentication_backend:
type: noop
authz: {}
I tested the Auth0 application using OpenID Connect Playground and a JWT similar to this is produced:
{
"opensearch_roles": "admin",
"nickname": "clint",
"name": "clint@somewhere.com.au",
"picture": "https://s.gravatar.com/avatar/ec9c1e2bb19a819807314c91ac41c872?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fcl.png",
"updated_at": "2024-11-27T03:33:47.558Z",
"email": "guy@somewhere.com.au",
"email_verified": false,
"iss": "https://something.auth0.com/",
"aud": "????????",
"iat": 1732680292,
"exp": 1732716292,
"sub": "auth0|????????",
"sid": "???????"
}
Use the ADMIN role to get full access
The flow is shown in the screen shot.
- https:///my-domain/opensearch/auth/openid/login - shows OpenSearch login page
- https:///domain.auth0.com/authorize? - OpenSearch redirects to Auth0
- User logs into Auth0
- https:///my-domain/opensearch/auth/openid/login - Auth0 redirects back to OpenSearch
- BACKEND - OpenSearch calls Auth0 to convert code into token and get JWT
- ??? - IT BREAKS
I assume that OpenSearch is sending POST request to Auth0 to convert code into token
and failing to process the response from Auth0 but I can’t see any detailed logs.
Tried to enable DEBUG logs in OpenSearch
I can’t see how to enable DEBUG logs for the dashboard.
I tried setting DEBUG level on a core node but don’t see any logs that relate to this issue.
Relevant Logs or Screenshots: