OpenID with Auth0

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch & Dashboard 2.18.0
Cluster deployed using the Ansible playbook
Dashboard is behind Nginx proxy

Describe the issue:
I can't get OpenID working using Auth0 as IDP.
Response Error: 403 Forbidden
OpenId authentication failed: Error: Authentication Exception

I can log in fine using the internal user DB.
I do get to the Auth0 login page, have verified the login is success.
After login I get redirected back to OpenSearch dashboard but OpenSearch fails with 403.

Dashboard Settings

opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false

opensearch_security.auth.type: openid
opensearch_security.openid.base_redirect_url: "https://my-domain.au/opensearch"
opensearch_security.openid.client_id: "??????????????????????"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "??????????????????????????????"
opensearch_security.openid.connect_url: "https://something.auth0.com/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true

server.basePath: "/opensearch"

Security Config

http:
  anonymous_auth_enabled: false
  xff:
    enabled: false
    internalProxies: ".*"
    remoteIpHeader: "x-forwarded-for"
authc:
  basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: false
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: internal
  openid_auth_domain:
    description: "Authenticate via OpenID"
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: openid
      challenge: false
      config:
        enable_ssl: false
        verify_hostnames: false
        subject_key: name
        roles_key: opensearch_roles
        openid_connect_url: https://something.auth0.com/.well-known/openid-configuration
        kibana_url: https://mydomain.com.au/opensearch
    authentication_backend:
      type: noop
authz: {}

I tested the Auth0 application using OpenID Connect Playground and a JWT similar to this is produced:

 {
   "opensearch_roles": "admin",
   "nickname": "clint",
   "name": "clint@somewhere.com.au",
   "picture": "https://s.gravatar.com/avatar/ec9c1e2bb19a819807314c91ac41c872?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fcl.png",
   "updated_at": "2024-11-27T03:33:47.558Z",
   "email": "guy@somewhere.com.au",
   "email_verified": false,
   "iss": "https://something.auth0.com/",
   "aud": "????????",
   "iat": 1732680292,
   "exp": 1732716292,
   "sub": "auth0|????????",
   "sid": "???????"
 }

Use the ADMIN role to get full access

The flow is shown in the screen shot.

  • https:///my-domain/opensearch/auth/openid/login - shows OpenSearch login page
  • https:///domain.auth0.com/authorize? - OpenSearch redirects to Auth0
    • User logs into Auth0
  • https:///my-domain/opensearch/auth/openid/login - Auth0 redirects back to OpenSearch
  • BACKEND - OpenSearch calls Auth0 to convert code into token and get JWT
  • ??? - IT BREAKS

I assume that OpenSearch is sending POST request to Auth0 to convert code into token
and failing to process the response from Auth0 but I can’t see any detailed logs.

Tried to enable DEBUG logs in OpenSearch

I can’t see how to enable DEBUG logs for the dashboard.
I tried setting DEBUG level on a core node but don’t see any logs that relate to this issue.

Relevant Logs or Screenshots:

Not 100% sure if thats the issue, but the the Authorization header starts with a capital A Authorization - HTTP | MDN

Hi @cvdb,

Could you run a quick test by mapping your user to all_access directly and try logging in via OpenID:

If successful please run the following (in Dev Tools) and share the output:

GET /_plugins/_security/authinfo?pretty

Best,
mj

Hi mj,

I did not create an internal user:

but I added the user as a CUSTOM property

Same error…

{
“user”: “User [name=admin, backend_roles=[admin], requestedTenant=null]”,
“user_name”: “admin”,
“user_requested_tenant”: null,
“remote_address”: “10.100.3.8:59786”,
“backend_roles”: [
“admin”
],
“custom_attribute_names”: ,
“roles”: [
“own_index”,
“all_access”
],
“tenants”: {
“global_tenant”: true,
“admin”: true
},
“principal”: null,
“peer_certificates”: “0”,
“sso_logout_url”: null
}

unfortunately all I can see in the dashboard logs:

Nov 28 22:45:18 dashboard1 opensearch-dashboards[27785]: {"type":"log","@timestamp":"2024-11-28T22:45:18Z","tags":["error","plugins","securityDashboards"],"pid":27785,"message":"OpenId authentication failed: Error: Authentication Exception"}

I see this on a core node, not sure if its related:

[2024-11-28T22:45:18,104][WARN ][o.o.s.h.HTTPBasicAuthenticator] [core1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

I did also adjust this, same error:

opensearch.requestHeadersWhitelist: [ Authorization,securitytenant ]

Have you tied setting log level to debug/trace?

more here: Troubleshoot OpenID Connect - OpenSearch Documentation

Best,
mj

I am also facing same issue

Do you see any errors in the opensearch logs? AFAIK kibana_url is not a setting of openid authenticator (it is for SAML). It may be failing to instantiate an OpenID authenticator on the backend.

Could you please confirm if the Kibana URLs are correct (please see above)?

best,
mj