Problems while login via keycloak(OpenID connect)

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch - 2.16
Installed opensearch on ubuntu OS on AWS Environment
SSL termination happens on AWS load balancer
Describe the issue:
While login getting, we get 401 OpenId authentication failed: Error: Authentication Exception

Configuration:

keycloak configuration

Relevant Logs or Screenshots:

configuration: 
opensearch-security/config.yml 
    authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: url-.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch-dashboard.yml

opensearch.hosts: [urllocalhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: 
opensearch.password: 
  #opensearch.requestHeadersWhitelist: [authorization, securitytenant, WWW-Authenticate]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
  #opensearch_security.auth.disableAnonymousAuth: true
  #opensearch_security.auth.nonAuthenticatedRoutes: [/api/status]

  #opensearch_security.auth.type: "openid"
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.connect_url: "/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearchname"
opensearch_security.openid.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
  #opensearch_security.openid.roles_key: "roles"
  #opensearch_security.auth.oidc.ssl.verificationMode: none
  #opensearch.ssl.verificationMode: none
opensearch_security.openid.scope: "openid profile email roles groups"
opensearch_security.openid.base_redirect_url: "opensearch.stage.domain.com"
opensearch_security.openid.trust_dynamic_headers: true
opensearch_security.openid.header: "Authorization"
opensearch_security.cookie.ttl: "3600"
opensearch_security.openid.verify_hostnames: false
#opensearch_security.openid.redirect_uri: "opensearch.stage.domain.com/*"
opensearch.requestHeadersAllowlist: ["Authorization", "securitytenant", "WWW-Authenticate"]

Hello, not sure if this helps but all setting that we have set that matches “openid” is:

$ cat opensearch_dashboards.yml | grep openid
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.ui.openid.login.buttonname: "Log in with SSO"
opensearch_security.ui.openid.login.brandimage: "data:image/ico;base64,REALLY LONG STRING"
opensearch_security.ui.openid.login.showbrandimage: true
opensearch_security.openid.connect_url: "https://idp.dev.corp.com/realms/internal/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearch-dev_opensearch"
opensearch_security.openid.client_secret: "supersecretstring"
opensearch_security.openid.root_ca: /usr/share/opensearch/config/ca-certificates.crt
opensearch_security.openid.base_redirect_url: "https://opensearch.dev.corp.com:443"

Note that we run our own Keyloak and OpenSearch, we also have https everywhere.

Br Sebastian

Hi @manojkumar.m,

What do you have set as a “Token claim name” in your Mepper details (see below):

Could you share a sample of the JWT sent from your Keycloak to OpenSearch?

thanks,
mj


I’m using mapper details as like in screenshot

You can try something like so:

curl -k --noproxy '*' -d 'client_id=<Client-ID>' -d 'username=<uid>' -d 'password=<password>' -d 'grant_type=password' -d 'client_secret=<secret>' -d 'scope=openid' 'https://<Keycloak address>/auth/realms/<realm>/protocol/openid-connect/token'

best,
mj

curl -k --noproxy ‘*’ -d ‘client_id=fh-sit-opensearch’ -d ‘username=mailid’ -d ‘password=mypassword’ -d ‘grant_type=password’ -d ‘client_secret=iQOVk2npdtBQfIRgmxuyep4L8OvmAlaH’ -d ‘scope=openid’ ‘https://domain/realms/name/protocol/openid-connect/token

{“error”:“invalid_grant”,“error_description”:“Invalid user credentials”}%

Does the user exist in KeyCloak?

Yes @Mantas , User already exist in keycloak with admin priviledge

Can anyone help regarding this issue?

@manojkumar.m Are you getting redirected to the Keycloak’s login page?

Hi @pablo Yes i can able to authenticate succcessfully in keycloak.


After authenticate, then redirected to opensearch URL, I’m getting this error -

Also i’m getting this error on security-audit-log

{
“_index”: “security-auditlog-2024.09.27”,
“_id”: “ALhLMZIBeOMmrknPwxVV”,
“_version”: 1,
“_score”: null,
“_source”: {
“audit_cluster_name”: “opensearch”,
“audit_node_name”: “ip”,
“audit_rest_request_method”: “GET”,
“audit_category”: “FAILED_LOGIN”,
“audit_request_origin”: “REST”,
“audit_node_id”: “9Vg94XZ2TQ-0889nmQ9H9A”,
“audit_request_layer”: “REST”,
“audit_rest_request_path”: “/_plugins/_security/authinfo”,
@timestamp”: “2024-09-27T02:25:01.780+00:00”,
“audit_request_effective_user_is_admin”: false,
“audit_format_version”: 4,
“audit_request_remote_address”: “127.0.0.1”,
“audit_node_host_address”: “ip”,
“audit_rest_request_headers”: {
“x-opensearch-product-origin”: [
“opensearch-dashboards”
],
“Connection”: [
“keep-alive”
],
“x-opaque-id”: [
“492643b9-6bf8-4dc5-b79e-37a13c90f2aa”
],
“Host”: [
“localhost:9200”
],
“x-forwarded-for”: [
“ip5”
],
“Content-Length”: [
“0”
]
},
“audit_request_effective_user”: “NONE”,
“audit_node_host_name”: “ip”
},
“fields”: {
@timestamp”: [
“2024-09-27T02:25:01.780Z”
]
},
“sort”: [
1727403901780
]
}

Does it mean you have a reverse proxy between Keycloak and OpenSearch Dashboards?

@manojkumar.m Could you also share the screenshot of all the Client Scopes in your OpenID client?

i.e.