Opensearch 3.3 deployed in openshift OIDC integration gives 401 unauthorized error

sandeepm257 · January 4, 2026, 6:45pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):3.3

Describe the issue:{“type”:“log”,“@timestamp”:“2026-01-04T18:32:58Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“OpenId authentication failed: Error: Authentication Exception”}

Configuration: basic internal user login is working

Relevant Logs or Screenshots:

#OIDC

opensearch_security.multitenancy.enabled: true

opensearch_security.multitenancy.tenants.preferred: \["Private", "Global"\]

opensearch_security.auth.multiple_auth_enabled: true

opensearch_security.auth.type: \["basicauth","openid"\]

opensearch_security.ui.openid.login.buttonname: "OIDC-IBM-W3"

opensearch_security.openid.connect_url: "https://login.w3.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"

opensearch_security.openid.base_redirect_url: "https://dashboard-os.apps.frasos-ocp4.mgmt.net.ibm.com"

opensearch_security.openid.logout_url: "https://dashboard-os.apps.frasos-ocp4.mgmt.net.ibm.com/auth/openid/logout"

server.rewriteBasePath: false

opensearch_security.openid.client_id: \*\*\*\*\*

opensearch_security.openid.client_secret: \*\*\*\*\*\*\*\*

logging.verbose: true

opensearch_security.openid.verify_hostnames: false

opensearch_security.openid.refresh_tokens: false

opensearch_security.openid.extra_storage.cookie_prefix: security_authentication_oidc

opensearch_security.openid.extra_storage.additional_cookies: 3

opensearch_security.cookie.isSameSite: "None"

opensearch_security.cookie.secure: true

sh-5.2$ cat opensearch-security/config.yml
_meta:
type: “config”
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
#internalProxies: “192\.168\.0\.10|192\.168\.0\.11”
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “intern”
openid_auth_domain:
order: 1
http_authenticator:
type: openid
challenge: true
config:
subject_key: “emailAddress”
roles_key: “blueGroups”
openid.connect_url: https://login.w3.ibm.com/oidc/endpoint/default/.well-known/openid-configuration
authentication_backend:
type: noop

pablo · January 5, 2026, 11:30am

@sandeepm257 Are you getting redirect to the IdP login page or the error appears once you follow OpenSearch Dashboards URL?

Where did you get the roles key? Is that role key is in your JWT token?

According to the OpenSearch documentation, OpenSearch Dashboards is using default scope. Could you compare it with your IdP?

sandeepm257 · January 5, 2026, 12:14pm

Hi Pablo thanks for the reply

I guess its some issue with config.yml alignment
I copied content from working cluster and is fine now

Thanks

Topic		Replies	Views
"statusCode":401,"error":"Unauthorized","message":"Unauthorized" Security configure , security-issue	2	213	June 30, 2025
OpenSearch in Kubernetes: OpenID error Security	1	706	July 21, 2023
Okta/OpenID(OIDC) authentication Security configure	32	3629	August 26, 2022
OpenSearch Dashboard login vi OKTA OIDC throwing OpenId authentication failed error Security discuss	1	824	February 27, 2023
OIDC Integration: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} Security configure	7	3408	April 26, 2023

Opensearch 3.3 deployed in openshift OIDC integration gives 401 unauthorized error

Related topics