Setting up OpenID Connect integration with OpenSearch is resulting in a 401 Unauthorized error when using Azure AD as the identity provider

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch version : “2.17.1”
opensearch dasboard : 2.17.1
Browser : Chrome

Describe the issue:
After configuring OpenID Connect in OpenSearch with Azure as the identity provider, I’m encountering a 401 Unauthorized error. I can see the Microsoft login screen, but after entering credentials, it returns a 401 error.

Configuration:
config.yml

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0 # Must set to 1 to prevent logs flooding with warnings
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            verify_hostnames: false
            subject_key: preferred_username
            roles_key: groups
            openid_connect_url: https://login.microsoftonline.com/f98dce6e-1a76-47b2-b1fa-21ab2df162c7/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch_dashboard.yml

opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: <password>
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]

opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["openid", "basicauth"]
# opensearch_security.auth.type: "openid"
# The IdP metadata endpoint
opensearch_security.openid.connect_url: "https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration"
opensearch_security.openid.base_redirect_url: "http://localhost:5601"
opensearch_security.openid.trust_dynamic_headers: true
# The ID of the OpenID Connect client in your IdP
opensearch_security.openid.client_id: <client-id>

# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: <client-sec>
opensearch_security.openid.scope: "openid"
opensearch_security.openid.header: "Authorization"
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
server.host: "0.0.0.0"

Relevant Logs or Screenshots:

Screenshot 2024-10-25 at 11.28.09 AM
Screenshot 2024-10-25 at 11.28.09 AM1330×280 7.22 KB

2

Hi @Vidhu,

How are you mapping OpenSearch permission to your users authenticated via OpenID (individual users, back-end roles, etc.)?

best,
mj

3

Hi @Mantas ,

I’ve uploaded my latest config.yml file. I’m trying to retrieve the groups that a user belongs to. I have a user in Entra ID who is a member of over 200 groups, and I’d like to pull those groups. Could you guide me on how to map them?

Now I am able to login not getting 401, but I cant retrieve the groups

Additionally, is there a way to retrieve the access token upon login?

4

@Vidhu, the JWT passed from your IDp (to OS) will have groups for the user, you will need to use roles_key to assign them as backend role(s) and use the backend roles to map OS roles to a user:

sample of config (I see you already added roles_key: groups):

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            verify_hostnames: false
            subject_key: preferred_username
            roles_key: groups
            openid_connect_url: https://login.microsoftonline.com/f98dce6e-1a76-47b2-b1fa-21ab2df162c7/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

roles: Modifying the YAML files - OpenSearch Documentation

role-x:
  cluster_permissions:
    - "cluster_composite_ops_ro" 
  index_permissions:
    - index_patterns:
        - "index-*"
      allowed_actions:
        - "read"

roles mapping: Modifying the YAML files - OpenSearch Documentation

role-x:
  reserved: true
  hidden: false
  backend_roles:
  - "role-from-groups"
  hosts: []
  users: []
  and_backend_roles: []
kibana_user:
  reserved: false
  hidden: false
  backend_roles:
  - "kibanauser"
  - "role-from-groups"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps kibanauser to kibana_user"

best,
mj

5

@Vidhu, Do you have a sample JWT that is sent to OS?

6

Hey @Mantas I am not able to figure out how to get JWT , where it be stored. Is there a way to retrieve it

7

@Vidhu,

You could try something like:


	1. RESULT=$( curl -k --noproxy '*' -d 'client_id=<CLIENT ID>' -d 'username=<USERNAME>' -d 'grant_type=password' -d 'client_secret=<SECRET>' -d 'scope=openid' 'https://login.microsoftonline.com/<DOMAIN>/oauth2/v2.0/token' -d 'password=<password>')

	2. TOKEN=$(echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/')
	3. curl --insecure -H "Authorization: Bearer $TOKEN" https://login.microsoftonline.com/<DOMAIN>/oauth2/v2.0/authorize

More info here (check the workflow): OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

Best,
mj