OpenSearch Dashboard with Keycloak IdP is working, but with OpenSearch not

Security
,
1

Versions (OpenSearch/Dashboard): 2.2.0 (Docker container in K8s)

Describe the issue:
I have setup Keycloak to provide indentity to OpenSearch Dashboard, which is actually working fine.
If I attempt to use same credentials (name and password from Keycloak/Dashboard) in API call (via “curl”), it seems, that OpenSearch not contact Keycloak to autentificate the user, I get just error “Unauthorized”.
My goal is manage all users dynamically in Keycloak, no matter, what tool user want to use (OpenSearch dashboard, or CURL via terminal, Postman, …)

Configuration:
config.yml

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    do_not_fail_on_forbidden: true
    kibana:
      multitenancy_enabled: true
      server_username: opensearch
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '.*'
        remoteIpHeader:  'x-forwarded-for'
    authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            subject_key: email
            roles_key: groups
            openid_connect_url: https://keycloak.local:445/realms/test/.well-known/openid-configuration
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: true
              pemtrustedcas_content: |- 
                -----BEGIN CERTIFICATE-----
                REDACTED
                -----END CERTIFICATE-----
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

Relevant Logs or Screenshots:

curl -k -X GET -utstuser:tstuser456 "https://localhost:9200/_cat/health"
Unauthorized

OpenSearch log record:

main {"type": "logging", "timestamp": "2023-02-22T12:22:27,002Z", "level": "WARN", "component": "o.o.s.a.BackendRegistry", "cluster.name": "testcluster", "node.name": "os-node-65f55ff749-ls84b", "message": "Authentication finally failed for tstuser from 127.0.0.1:43514", "cluster.uuid": "No1pC_dTTZy4VBXSy-T0_g", "node.id": "h-0LeEGBT0KK2a0AX1BNIg"  }

I would like to ask for help.

2

@LHozzan curl -u should be used with LDAP and basic authentication only.
To get curl working with OpenID you need to first get JWT token from keycloak and use it as Bearer in Authorization header when running API queries.

Try the below.

RESULT=curl -k --noproxy '*' -d 'client_id=kibana' -d 'username=<uid>' -d 'password=<password>' -d 'grant_type=password' -d 'client_secret=<secret>' -d 'scope=openid' 'https://<Keycloak address>/auth/realms/<realm>/protocol/openid-connect/token'

TOKEN=echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/'
curl -k --noproxy ‘*’ -H “Authorization: Bearer $TOKEN”
3

Hi @pablo .
Thank you for answer. I will try it.
Best regards.