Question about the On-Behalf-Of feature

asfoorial · August 29, 2025, 4:22pm

Hi all,

I highly appreciate explanation on the below in docs of On-Behalf-Of feature. Aren’t the signing and encryption keys distributed to all nodes automatically sine they are set as part of config.yml (security index) which is expected to be visible to all nodes?

“Both the signing key and the encryption key are base64 encoded and stored on the OpenSearch node’s file system. The keys should be the same on all hosts.”

Anthony · September 1, 2025, 9:51am

@asfoorial yes, you are correct, The configuration is stored in security index and is not needed to be present in the filesystem. The docs will be updated shortly.

Topic		Replies	Views
Configuration setting for OID Security	2	895	July 22, 2019
Patch security configuration leads to Missing Signing Key error Security	1	821	February 7, 2023
Open distro - openid connect - keycloak Security	10	5893	March 17, 2020
JWT signing key rotation Security discuss , troubleshoot	4	558	March 11, 2022
Missing Signing Key. JWT authentication will not work Security	1	1024	July 21, 2020

Question about the On-Behalf-Of feature

Related topics