Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch - 2.16
Installed opensearch on ubuntu OS on AWS Environment
SSL termination happens on AWS load balancer
Describe the issue:
While login getting, we get 401 OpenId authentication failed: Error: Authentication Exception
Configuration:
keycloak configuration
Relevant Logs or Screenshots:
configuration:
opensearch-security/config.yml
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: url-.well-known/openid-configuration
authentication_backend:
type: noop
opensearch-dashboard.yml
opensearch.hosts: [urllocalhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username:
opensearch.password:
#opensearch.requestHeadersWhitelist: [authorization, securitytenant, WWW-Authenticate]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
#opensearch_security.auth.disableAnonymousAuth: true
#opensearch_security.auth.nonAuthenticatedRoutes: [/api/status]
#opensearch_security.auth.type: "openid"
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.connect_url: "/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearchname"
opensearch_security.openid.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
#opensearch_security.openid.roles_key: "roles"
#opensearch_security.auth.oidc.ssl.verificationMode: none
#opensearch.ssl.verificationMode: none
opensearch_security.openid.scope: "openid profile email roles groups"
opensearch_security.openid.base_redirect_url: "opensearch.stage.domain.com"
opensearch_security.openid.trust_dynamic_headers: true
opensearch_security.openid.header: "Authorization"
opensearch_security.cookie.ttl: "3600"
opensearch_security.openid.verify_hostnames: false
#opensearch_security.openid.redirect_uri: "opensearch.stage.domain.com/*"
opensearch.requestHeadersAllowlist: ["Authorization", "securitytenant", "WWW-Authenticate"]
Hello, not sure if this helps but all setting that we have set that matches “openid” is:
$ cat opensearch_dashboards.yml | grep openid
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.ui.openid.login.buttonname: "Log in with SSO"
opensearch_security.ui.openid.login.brandimage: "data:image/ico;base64,REALLY LONG STRING"
opensearch_security.ui.openid.login.showbrandimage: true
opensearch_security.openid.connect_url: "https://idp.dev.corp.com/realms/internal/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearch-dev_opensearch"
opensearch_security.openid.client_secret: "supersecretstring"
opensearch_security.openid.root_ca: /usr/share/opensearch/config/ca-certificates.crt
opensearch_security.openid.base_redirect_url: "https://opensearch.dev.corp.com:443"
Note that we run our own Keyloak and OpenSearch, we also have https everywhere.
Br Sebastian
Hi @manojkumar.m,
What do you have set as a “Token claim name” in your Mepper details (see below):
Could you share a sample of the JWT sent from your Keycloak to OpenSearch?
thanks,
mj
You can try something like so:
curl -k --noproxy '*' -d 'client_id=<Client-ID>' -d 'username=<uid>' -d 'password=<password>' -d 'grant_type=password' -d 'client_secret=<secret>' -d 'scope=openid' 'https://<Keycloak address>/auth/realms/<realm>/protocol/openid-connect/token'
best,
mj
curl -k --noproxy ‘*’ -d ‘client_id=fh-sit-opensearch’ -d ‘username=mailid’ -d ‘password=mypassword’ -d ‘grant_type=password’ -d ‘client_secret=iQOVk2npdtBQfIRgmxuyep4L8OvmAlaH’ -d ‘scope=openid’ ‘https://domain/realms/name/protocol/openid-connect/token’
{“error”:“invalid_grant”,“error_description”:“Invalid user credentials”}%
Does the user exist in KeyCloak?
Yes @Mantas , User already exist in keycloak with admin priviledge
Can anyone help regarding this issue?
@manojkumar.m Are you getting redirected to the Keycloak’s login page?
Hi @pablo Yes i can able to authenticate succcessfully in keycloak.
{
“_index”: “security-auditlog-2024.09.27”,
“_id”: “ALhLMZIBeOMmrknPwxVV”,
“_version”: 1,
“_score”: null,
“_source”: {
“audit_cluster_name”: “opensearch”,
“audit_node_name”: “ip”,
“audit_rest_request_method”: “GET”,
“audit_category”: “FAILED_LOGIN”,
“audit_request_origin”: “REST”,
“audit_node_id”: “9Vg94XZ2TQ-0889nmQ9H9A”,
“audit_request_layer”: “REST”,
“audit_rest_request_path”: “/_plugins/_security/authinfo”,
“@timestamp”: “2024-09-27T02:25:01.780+00:00”,
“audit_request_effective_user_is_admin”: false,
“audit_format_version”: 4,
“audit_request_remote_address”: “127.0.0.1”,
“audit_node_host_address”: “ip”,
“audit_rest_request_headers”: {
“x-opensearch-product-origin”: [
“opensearch-dashboards”
],
“Connection”: [
“keep-alive”
],
“x-opaque-id”: [
“492643b9-6bf8-4dc5-b79e-37a13c90f2aa”
],
“Host”: [
“localhost:9200”
],
“x-forwarded-for”: [
“ip5”
],
“Content-Length”: [
“0”
]
},
“audit_request_effective_user”: “NONE”,
“audit_node_host_name”: “ip”
},
“fields”: {
“@timestamp”: [
“2024-09-27T02:25:01.780Z”
]
},
“sort”: [
1727403901780
]
}
Does it mean you have a reverse proxy between Keycloak and OpenSearch Dashboards?
@manojkumar.m Could you also share the screenshot of all the Client Scopes in your OpenID client?
i.e.
