OpenSearch Keycloak (OpenID) authentication finally failed

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

  • OpenSearch (Docker): opensearch:1.3.12
  • Dashboard (Docker): opensearch-dashboards:1.3.12
  • Keycloak (Docker): keycloak:21.1.1

Describe the issue:

I’m currently working on a pre-configured OpenSearch deployment.
When I try to log in to OpenSearch using OpenID, the server returns the following error:

Authentication finally failed

When I try to log in to OpenSearch Dashboard using OpenID, I’m stuck in a redirect loop.
Certificates are valid for both browser and servers (checked with curl, no SSL error returned).

Configuration:

opensearch.yml

network.host: 0.0.0.0
plugins.security.ssl.http.enabled: false
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: false
plugins.security.ssl.transport.pemcert_filepath: elk-transport-crt.pem
plugins.security.ssl.transport.pemkey_filepath: elk-transport-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: elk-transport-root-ca.pem
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.audit.type: log4j
plugins.security.audit.config.log4j.logger_name: audit
plugins.security.audit.config.log4j.level: INFO

plugins.security.authcz.admin_dn:
  - "[...]"
plugins.security.nodes_dn:
  - "[...]"

security config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
            subject_key: preferred_username
            roles_key: es_role
            openid_connect_url: https://auth.[...].io/auth/realms/kast/.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch_dashboards.yml

server.name: opensearch-dashboards-doc-store
elasticsearch.ssl.verificationMode: none
elasticsearch.requestTimeout: 360000

# yamllint disable-line
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true

opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true

opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opensearch_security.auth.type: "openid"

# The IdP metadata endpoint
opensearch_security.openid.connect_url: "https://auth.[...].io/auth/realms/kast/.well-known/openid-configuration"
opensearch_security.openid.base_redirect_url: "https://opensearch-dashboards.[...].io"
opensearch_security.openid.logout_url: "https://auth.[...].io/auth/realms/kast/protocol/openid-connect/logout"

# The ID of the OpenID Connect client in your IdP
opensearch_security.openid.client_id: opensearch-dashboards
# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: [...]

logging.root.level: info

Relevant Logs or Screenshots:

OpenSearch logs

{"type": "server", "timestamp": "2024-02-23T08:36:47,853Z", "level": "DEBUG", "component": "o.o.s.a.BackendRegistry", "cluster.name": "opensearch-doc-store", "node.name": "elasticsearch-2", "message": "Check authdomain for rest internal/0 or 1 in total", "cluster.uuid": "1jS8aPjBQEWljcMYNZjSoA", "node.id": "AA9WG3unS-usfOmOKYJ4wQ"  }
{"type": "server", "timestamp": "2024-02-23T08:36:47,853Z", "level": "WARN", "component": "o.o.s.h.HTTPBasicAuthenticator", "cluster.name": "opensearch-doc-store", "node.name": "elasticsearch-2", "message": "No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'", "cluster.uuid": "1jS8aPjBQEWljcMYNZjSoA", "node.id": "AA9WG3unS-usfOmOKYJ4wQ"  }
{"type": "server", "timestamp": "2024-02-23T08:36:47,853Z", "level": "DEBUG", "component": "o.o.s.a.BackendRegistry", "cluster.name": "opensearch-doc-store", "node.name": "elasticsearch-2", "message": "User still not authenticated after checking 1 auth domains", "cluster.uuid": "1jS8aPjBQEWljcMYNZjSoA", "node.id": "AA9WG3unS-usfOmOKYJ4wQ"  }
{"type": "server", "timestamp": "2024-02-23T08:36:47,853Z", "level": "WARN", "component": "o.o.s.a.BackendRegistry", "cluster.name": "opensearch-doc-store", "node.name": "elasticsearch-2", "message": "Authentication finally failed for null from 127.0.0.1:38278", "cluster.uuid": "1jS8aPjBQEWljcMYNZjSoA", "node.id": "AA9WG3unS-usfOmOKYJ4wQ"  }

Keycloak token

{
  "scope": "openid profile email",
  "email_verified": true,
  "es_role": [
    "admin",
    "maintainer"
  ],
  "name": "Default Maintainer",
  "preferred_username": "maintainer",
  "given_name": "Default",
  "family_name": "Maintainer",
  "email": "maintainer@[...].io"
}

Thank you for your help!

2

Hi @1.3.6.1.4.1.4203.1.1,

I’ve noticed that you have enabled TLS but have not provided pemtrustedcas_filepath: /full/path/to/trusted_cas.pem or pemtrustedcas_content: |- please see more details here: OpenID Connect - OpenSearch Documentation

Best,
mj