OpenSearch Dashboards can not auto refresh access_token

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.5.0

Describe the issue:
i deployed OpenSearch and enabled openid auth with keycloak. I set the access_token expire in 5 minutes and the refresh_token expire in 30 minutes.But i found that seems OpenSearch could not auto refresh access_token. And i had to login again every 5 minutes.

Here is configs in opensearch_dashboards.yml:

opensearch.hosts: [http://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: **********
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.session.ttl: 14400000
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.verify_hostnames: false
opensearch_security.openid.refresh_tokens: false
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.base_redirect_url: http://localhost:5601
opensearch_security.openid.client_id: opensearch
opensearch_security.openid.client_secret: *********************
opensearch_security.openid.scope: "openid profile email address phone"
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [opensearch_read_only] false ''

And here is config in opensearch-security/config.yml:

        http_enabled: true
        transport_enabled: true
        order: 0
          type: openid
          challenge: false
            subject_key: preferred_username
            roles_key: roles
          type: noop

Relevant Logs or Screenshots:
i tried with Postman to refresh access_token, and here was the response:

Please review and advice if need other information.Thanks a lot!

I have the same issue here. I have to relogin after 5 minutes.

May i know if anyone else has the same issue and how to solve it? we now change the expire time from 5 minuts to 1 hour.

i think i have found the root cause now. i changed the setting ‘opensearch_security.openid.refresh_tokens:’ from ‘false’ to ‘true’ in opensearch_dashboards.yml. And it can refresh access_token and no need to login every 5 minutes .Hope it can help you .


thank you for coming back to share the resolution with the community!