Opensearch + Keycloak, TOO MANY REDIRECT

OpenSearch
1

Hi all, I’m trying to join Opensearch and Opensearch-Dashboards with Keycloak IdP. When I type on browser the opensearch dashboard url (behind a traefik reverse proxy), I can correctly authenticate on the keyclock login page, but unfortunately, after that, I’m stuck on a redirect loop and the browser (e.g.: firefox) says: “The page isn’t redirecting properly”.
My infrastructure is on k8s (opensearch deployed by Helm). Heres my config:

  • opensearch-dashboards/values.yaml

    opensearch_dashboards.yml: |

    opensearch_security.auth.type: “openid”
    opensearch_security.openid.connect_url: “https://<keycloak_url>/auth/realms/<my_realm>/.well-known/openid-configuration”
    opensearch_security.openid.root_ca: my_cert.crt
    opensearch_security.openid.verify_hostnames: false
    opensearch_security.openid.client_id: “opensearch-dashboards-sso”
    opensearch_security.openid.client_secret: “…”
    opensearch_security.openid.base_redirect_url: “https://<opensearch_dashboard_external_url>”
    opensearch.hosts: [https://opensearch-cluster-master:9200]
    opensearch.username: “kibanaserver”
    opensearch.password: “kibanaserver”
    opensearch.ssl.verificationMode: none
    opensearch.requestHeadersWhitelist: [“securitytenant”, “Authorization”]
    opensearch_security.multitenancy.enabled: true
    opensearch_security.multitenancy.tenants.enable_private: true
    opensearch_security.multitenancy.tenants.preferred: [“Private”, “Global”]
    opensearch_security.multitenancy.enable_filter: false
    opensearch_security.cookie.secure: false
    opensearch_security.openid.scope: openid profile email groups

  • opensearch/master.yaml

    config.yml: |
    basic_internal_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
    type: basic
    challenge: false
    authentication_backend:
    type: internal

    openid_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
    type: openid
    challenge: false
    config:
    openid_connect_idp:
    enable_ssl: true
    verify_hostnames: false
    pemtrustedcas_filepath: /usr/share/opensearch/config/my_cert.crt
    subject_key: preferred_username
    roles_key: roles
    openid_connect_url: “https://<keycloak_url>/auth/realms/<my_realm>/.well-known/openid-configuration”
    skip_users:
    - kibanaro
    - kibanaserver
    - logstash
    - adminp
    - admin
    - filebeat_internal
    - kibanauser
    authentication_backend:
    type: noop


OpenSearch version: 2.0.1
Keycloack version: 15.0.1

On Keycloak the conf is pretty standard, I created the client/secret, etc…

Client Protocol: openid-connect
Access Type: Confidential
Root URL: https://<opensearch_dashboard_external_url>
Valid Redirect URIs: https://<opensearch_dashboard_external_url>/*
Base URL: /app/home
Admin URL: https://<opensearch_dashboard_external_url>
_

Have you ever found this type of error?
Thanks for any help :slight_smile:

2

Hello @Ema76

I have had the redirect problem before, but my fix was log into Keycloak and navigate to
Realm --> Client -->mappers --> role list

Click on role list that was enabled above. Click the tic box called Single Role Attribute.

image
image1456×589 22.1 KB

If that doesn’t work , I’m not sure.

3

Hi @Gsmitt , I see you are using SAML protocol, I’m using OpenID

4

@Ema76, i am facing the same problem, did you resolve the issue?

5

Hi

Nope, unfortunately. I tried upgrading to the last stable version (2.2.1), but now I’m facing an “unauthorized error”.