@pablo I tried running your commands, I am assuming you meant run these commands from inside the OpenSearch Dashboards container. I did receive an access_token from Keycloak with the following data decoded from jwt.io:
{
"exp": 1674587633,
"iat": 1674587333,
"jti": "REDACTED",
"iss": "REDACTED",
"aud": "account",
"sub": "REDACTED",
"typ": "Bearer",
"azp": "opensearch",
"session_state": "89e1c750-6cb6-4ecb-a59f-4e2f5d1073a1",
"acr": "1",
"realm_access": {
"roles": [
"default-roles-opensearch",
"offline_access",
"admin",
"uma_authorization",
"all_access",
"kibanauser"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"sid": "REDACTED",
"email_verified": false,
"roles": [
"default-roles-opensearch",
"offline_access",
"admin",
"uma_authorization",
"all_access",
"kibanauser",
"manage-account",
"manage-account-links",
"view-profile"
],
"preferred_username": "dit",
"given_name": "",
"family_name": ""
}
I do not see the token anywhere in the logs of either OpenSearch Dashboards or Opensearch. Instead I got the token from Echoing the TOKEN variable after performing the operations.
The only log I get from Opensearch is the following:
The line “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’” is the only thing that happens when I run the third curl command from your list. It seems to be the same behavior as when I use the browser. I assume this is because it first attempts basic auth, which fails before it then moves on to OIDC as per the configuration ordering.
Inside the Opensearch Dashboards container the only result I get from running the third curl command is an “Unauthorized” message.
When looking at the actual logs of Opensearch Dashboards, this is what comes up:
{
"type": "log",
"@timestamp": "2023-01-25T10:05:28Z",
"tags": [
"error",
"plugins",
"securityDashboards"
],
"pid": 1,
"message": "OpenId authentication failed: Error: Authentication Exception"
}