OpenSearch dashboards gets 401 unauthorized after 1 hour

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.15.0

Describe the issue:
I’m using openID to integrate azure entra id login with opensearch dashboards. Login works fine but after 1 hour I get 401 unathorized and I’m returned to opensearch dashboards login screen. After I click “Log in with single sign-on” I’m instantly logged in back without typing password or anything which means my azure session didn’t expire but opensearch one did.

E.g. request that get 401 unauthorized:

• POST https://example.com/api/ism/accountInfo gets 401 Unauthorized

I tried chaning various configs like plugins.security.cache.ttl_minutes to 180 and 0 but nothing helped.
I also checked [FEATURE] Support custom SAML headers for expiry time · Issue #4046 · opensearch-project/security · GitHub and it looks like issue is fixed but I just can’t make it work.

Any suggestions would be great.

Configuration:
opensearch_dashboards.yml:

opensearch_security.cookie.secure: false
opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true
opensearch_security.openid.refresh_tokens: true

opensearch.requestHeadersWhitelist: ["Authorization", "securitytenant"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["openid", "basicauth"]
opensearch_security.openid.connect_url: "https://login.microsoftonline.com/REDACTED/v2.0/.well-known/openid-configuration"
opensearch_security.openid.client_id: "REDACTED"
opensearch_security.openid.client_secret: "REDACTED"
opensearch_security.openid.base_redirect_url: "https://example.com"

opensearch-security/config.yml

openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            pemtrustedcas_filepath: /etc/opensearch/ssl/DigiCertGlobalRootCA.crt.pem
            verify_hostnames: false
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/REDACTED/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch.yml
plugins.security.cache.ttl_minutes: 0

Hi @karlo95,

If I am not mistaken the TLL values are not respected when using Azure as IDP (I believe it works with Keycloak).

The TLL, in this case, needs to be adjusted on the IDP end (I am not aware of the ways to do it or if is it possible on Azure).

I would advise opening a feature request on GitHub (please share the URL of the request here).

Best,
mj

I experience the same behavior in 2.15.0 with Okta as the OIDC provider. The session and/or cookie ttl setting do seem to be respected for me, but only when set to less than 1 hour. Setting them over 1 hour results in the session dying with the 401 symptom at 60min. I have tried what must be every possible variation of settings in the Okta side, as well as in opensearch_dashboards.yml.

@derek-ho thought he squashed this in 2.13.0, but evidently the bug remains. (Or, there is some configuration magic that has not been sufficiently documented?)

If anyone experience same issues: I managed to adjust TTL on Azure side using https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes

Also, feature request is opened on project https://github.com/opensearch-project/OpenSearch-Dashboards/issues/7604 so lets see if it will go through because I think it would be easier to set TTL directly on opensearch app side then on azure.

@karlo95, thanks for sharing, that is good to know.

Thanks,
mj