Opensearch not able to connect with openid keycloak

Hi,
I suggest to use setup from https://github.com/bob-california/opensearch-keycloak (quick start guide https://github.com/danpawlik/opensearch-keycloak#quick-setup-on-centos-8 ) and compare your configuration with bob’s one.

I’m not accustom with Keycloak but I had a looping issue caused by id_token not containing subject_key or/and roles_key field.

OAuth can be done in two ways - either with id_token containing user info or id_token being used in another HTTPS request to OpenID provider to retrieve user details, e.g /userinfo or /tokeninfo endpoints.

In case of OpenSearch, the backend already expects these fields to be in the id_token and is not implemented to make a 2nd HTTPS request to retrieve the information. My OpenID provider on the other hand doesn’t provide this information by default and I had to modify client’s configuration first to add all user info to id_token - once that was applied I managed to log into OpenSearch using OpenID.

@Anthony @Vivek123 were you able to create rolls in opensearch which are propagated to kc?
I have a working setup now on kubernetes, but when anyone logs into the dashboard through the kc login screen, they cannot see any indices.

Any lead is appreciated!

Best regards,
Rakesh

@Raki Could you open a new thread? Please share your config files (opensearch-dashboards.yml, config.yml) keycloak client settings and realm role mapping.

@pablo basically this thread follows it up, also with the same issues

Yes, the problem is with OpenSearch code. When keycloak runs on HTTPS, OpenSearch cannot bypass the certificates. So the solution to the problem is to bypass the certificate from the security plugin manually of OpenSearch and again reinstall the plugin