"statusCode":401,"error":"Unauthorized","message":"Unauthorized"

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch version: 3.0.0.0
Helm Chart
Openshift Environment

Describe the issue:

OIDC integration not working

Configuration:
Dashboard:

---------
config:
  # Default OpenSearch Dashboards configuration from docker image of Dashboards
  #https://docs.opensearch.org/docs/latest/security/configuration/multi-auth
  opensearch_dashboards.yml: |
    server.name: opensearch-dashboards
    server.host: 0.0.0.0
    opensearch.hosts: "https://opensearch-cluster-master.oshci.svc.cluster.local:9200"
    server.ssl.certificate: /usr/share/opensearch-dashboards/certs/dashboard/hci-tls.crt
    server.ssl.key: /usr/share/opensearch-dashboards/certs/dashboard/hci-tls.key

    server.ssl.enabled: true
    opensearch.ssl.verificationMode: none
    #opensearch.ssl.verificationMode: certificate
    opensearch.ssl.certificate: /usr/share/opensearch-dashboards/certs/opensearch/tls.crt
    opensearch.ssl.key: /usr/share/opensearch-dashboards/certs/opensearch/tls.key
    opensearch.ssl.certificateAuthorities: /usr/share/opensearch-dashboards/certs/opensearch/ca.crt
    opensearch.requestHeadersAllowlist: ["security_tenant","Authorization"]
    opensearch_security.openid.header: Authorization
    opensearch_security.openid.scope: "openid profile email groups blueGroups emailAddress" 
    #opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
    #opensearch_security.openid.trust_dynamic_headers: "true"
    #OIDC
    opensearch_security.multitenancy.enabled: true
    opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
    opensearch_security.readonly_mode.roles: [ "kibana_read_only" ]
    opensearch_security.auth.multiple_auth_enabled: true
    opensearch_security.auth.type: ["basicauth","openid"]
    opensearch_security.ui.openid.login.buttonname: "OIDC-IBM-W3"
    opensearch_security.openid.connect_url: https://oidc_server/oidc/endpoint/default/.well-known/openid-configuration
    opensearch_security.openid.base_redirect_url: "https://dashboard-oshci.domain"
    server.rewriteBasePath: false
    opensearch_security.openid.client_id: *******
    opensearch_security.openid.client_secret: *******
    logging.verbose: true

    opensearch_security.openid.verify_hostnames: false
    opensearch_security.openid.refresh_tokens: false
    
    opensearch_security.openid.extra_storage.cookie_prefix: security_authentication_oidc
    opensearch_security.openid.extra_storage.additional_cookies: 3
    opensearch_security.cookie.isSameSite: "None"
    opensearch_security.cookie.secure: true

    opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/certs/oidc/oidc-ca.crt
---------

Opensearch:

--------
config:
  opensearch.yml: |
    cluster.name: opensearch-cluster
    indices.query.bool.max_clause_count: 10000
    network.host: 0.0.0.0
    cluster.routing.allocation.same_shard.host: true
    discovery.seed_hosts: [“opensearch-cluster-master-0:9200”, “opensearch-cluster-master-1:9200”, “opensearch-cluster-master-2:9200”]
    plugins.security.ssl.transport.pemcert_filepath: certs/tls.crt
    plugins.security.ssl.transport.pemkey_filepath: certs/tls.key
    plugins.security.ssl.transport.pemtrustedcas_filepath: certs/ca.crt
    plugins.security.ssl.transport.truststore_type: JKS
    plugins.security.ssl.transport.truststore_filepath: certs/keystore.jks
    plugins.security.ssl.transport.keystore_password: changeit
    plugins.security.ssl.transport.enforce_hostname_verification: false
    plugins.security.ssl.http.enabled: true
    plugins.security.ssl.http.pemcert_filepath: certs/tls.crt
    plugins.security.ssl.http.pemkey_filepath: certs/tls.key
    plugins.security.ssl.http.pemtrustedcas_filepath: certs/ca.crt
    plugins.security.allow_unsafe_democertificates: true
    plugins.security.allow_default_init_securityindex: true
    plugins.security.authcz.admin_dn:
                     "Removed Due to Security reason"
    plugins.security.audit.type: internal_opensearch
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.cache.ttl_minutes: 60
    plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
    plugins.security.system_indices.enabled: true
    plugins.security.roles_mapping_resolution: BOTH
    #plugins.security.allow_default_init_securityindex: false
    logger.org.opensearch.index.reindex: debug
    plugins.security.system_indices.permission.enabled: true
    plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
    plugins.security.ssl.http.clientauth_mode: OPTIONAL
    plugins.security.nodes_dn:
               "Removed Due to Security reason"
    #logger.securityjwt.level: trace
  log4j2.properties: |
    status = error
    appender.console.type = Console
    appender.console.name = console
    appender.console.layout.type = PatternLayout
    appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
    rootLogger.level = info
    rootLogger.appenderRef.console.ref = console

opensearch OIDC Config:

--------
  config:
    securityConfigSecret: ""
    dataComplete: true
    data:
      action_groups.yml: |-
        _meta:
          type: "actiongroups"
          config_version: 2
      config.yml: |-
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            do_not_fail_on_forbidden: true
            http:
              anonymous_auth_enabled: false
              xff:
                enabled: false
                #internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
            authc:
              basic_internal_auth_domain:
                description: "Authenticate via HTTP Basic against internal users database"
                http_enabled: true
                transport_enabled: true
                order: 0
                http_authenticator:
                  type: "basic"
                  challenge: true
                authentication_backend:
                  type: "intern"
              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 1
                http_authenticator:
                  type: openid
                  challenge: false
                  config:
                    subject_key: "preferred_username"
                    roles_key: "roles"
                    skip_users:
                      - kibanaserver
                    openid_connect_idp.enable_ssl: true
                    #pemtrustedcas_filepath: /usr/share/opensearch/config/certs/oidc/oidc-ca.crt
                    pemtrustedcas_content: |-
                      -----BEGIN CERTIFICATE-----
                      MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
                      -----END CERTIFICATE-----
             
                    openid.connect_url: https://oidc_server/oidc/endpoint/default/.well-known/openid-configuration
                    jwks_uri: https://oidc_server/oidc/endpoint/default/jwks
                    client_id: *******
                    client_secret: *****
                authentication_backend:
                  type: noop
      internal_users.yml: |-
        _meta:
          type: "internalusers"
          config_version: 2
        admin:
          hash: "$2y$12$i3cnDljusRzpG6nYQgIbbOxbheAKISjTFTkWtpSG2Wj7.7KV1rcr6"
          reserved: true
          hidden: false
          backend_roles:
          - "admin"
          attributes: {}
          description: "Super admin user"
          static: false
        osmanager:
          hash: "$2y$12$PAoUOgrYCLj7vguepMpvGur9go6p9biT143bfvEYT/epuL/drYxTO"
          reserved: true
          hidden: false
          backend_roles:
          - "admin"
          attributes: {}
          description: "OSe Manager"
          static: false
        kibanaserver:
          hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
          reserved: true
          hidden: false
          backend_roles: []
          attributes: {}
          description: "Demo kibanaserver user"
          static: false
      nodes_dn.yml: |-
        _meta:
          type: "nodesdn"
          config_version: 2
        trustednodes:
          nodes_dn:
                 "Removed Due to security Reason"
      roles_mapping.yml: |-
        _meta:
          type: "rolesmapping"
          config_version: 2
        all_access:
          reserved: true
          backend_roles:
          - "admin"
          description: "Maps admin to all_access"
        kibana_user:
          reserved: false
          backend_roles:
          - "kibanauser"
          description: "Maps kibanauser to kibana_user"
        kibana_server:
          reserved: true
          users:
          - "kibanaserver"
        pltf-br-test:
          reserved: false
          hidden: false
          backend_roles:
          #- "cn=pltf-br-test,ou=memberlist,ou=..groupd,o=**.com"
          hosts: []
          users: []
          and_backend_roles: []
          description: "Maps BR Test Users"
      roles.yml: |-
        _meta:
          type: "roles"
          config_version: 2
      tenants.yml: |-
        _meta:
          type: "tenants"
          config_version: 2
        admin_tenant:
          reserved: false
          description: "Demo tenant for admin user"
      whitelist.yml: |-
        _meta:
          type: "whitelist"
          config_version: 2
--------

Using Self-signed certificate

Relevant Logs or Screenshots:

opensearch pod logs:

---------------
[2025-06-20T03:00:21,122][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] PluginService:onIndexModule index:[security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg]
[2025-06-20T03:00:21,125][INFO ][o.o.c.m.MetadataMappingService] [opensearch-cluster-master-2] [security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg] update_mapping [_doc]
[2025-06-20T03:00:23,074][INFO ][o.o.m.c.MLSyncUpCron     ] [opensearch-cluster-master-2] Skipping sync up job - ML model index not found
[2025-06-20T03:00:24,304][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-2] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2025-06-20T03:00:26,302][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] PluginService:onIndexModule index:[security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg]
[2025-06-20T03:00:26,306][INFO ][o.o.c.m.MetadataMappingService] [opensearch-cluster-master-2] [security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg] update_mapping [_doc]
[2025-06-20T03:00:26,400][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [opensearch-cluster-master-2] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
	at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
	at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
	at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[?:?]
	at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[?:?]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
	at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
-----------------

Dashboard Logs:

----
{"type":"ops","@timestamp":"2025-06-20T12:53:36Z","tags":[],"pid":1,"os":{"load":[0.89,1.5,1.98],"mem":{"total":2151329705984,"free":2036504399872},"uptime":4486116.16},"proc":{"uptime":90794.295834957,"mem":{"rss":248389632,"heapTotal":173371392,"heapUsed":159856824,"external":4239351,"arrayBuffers":779443},"delay":0.8080825805664062},"load":{"requests":{"5601":{"total":0,"disconnects":0,"statusCodes":{}}},"responseTimes":{"5601":{"avg":null,"max":0}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 152.5MB uptime: 25:13:14 load: [0.89 1.50 1.98] delay: 0.808"}
{"type":"log","@timestamp":"2025-06-20T12:53:40Z","tags":["debug","connection","econnreset"],"pid":1,"message":"ECONNRESET: Socket was closed by the client (probably the browser) before it could be read completely"}
{"type":"log","@timestamp":"2025-06-20T12:53:40Z","tags":["debug","connection","econnreset"],"pid":1,"message":"ECONNRESET: Socket was closed by the client (probably the browser) before it could be read completely"}
{"type":"log","@timestamp":"2025-06-20T12:53:40Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2025-06-20T12:53:40Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/auth/openid/login?grant_id=2784b009-8360-4ccf-839c-9f36bd0472ee&state=93CYN8OGcmdWiuHFm0RZqL","method":"get","headers":{"host":"dashboard-oshci.apps.nrexhci.net.ibm.com","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","sec-fetch-site":"same-site","priority":"u=0, i","sec-fetch-mode":"navigate","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15","accept-language":"en-US,en;q=0.9","sec-fetch-dest":"document","referer":"https://oidc_host/","accept-encoding":"gzip, deflate, br","connection":"keep-alive"},"remoteAddress":"10.131.4.2","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15","referer":"https://login.w3.ibm.com/"},"res":{"statusCode":401,"responseTime":571,"contentLength":9},"message":"GET /auth/openid/login?code=grant_id=2784b009-8360-4ccf-839c-9f36bd0472ee&state=93CYN8OGcmdWiuHFm0RZqL 401 571ms - 9.0B"}
{"type":"log","@timestamp":"2025-06-20T12:53:41Z","tags":["debug","metrics"],"pid":1,"message":"Refreshing metrics"}
{"type":"ops","@timestamp":"2025-06-20T12:53:41Z","tags":[],"pid":1,"os":{"load":[0.82,1.48,1.97],"mem":{"total":2151329705984,"free":2036502560768},"uptime":4486121.16},"proc":{"uptime":90799.296298438,"mem":{"rss":248893440,"heapTotal":173371392,"heapUsed":160311328,"external":4261035,"arrayBuffers":801063},"delay":0.7497625350952148},"load":{"requests":{"5601":{"total":1,"disconnects":0,"statusCodes":{"401":1}}},"responseTimes":{"5601":{"avg":571,"max":571}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 152.9MB uptime: 25:13:19 load: [0.82 1.48 1.97] delay: 0.750"}



-----

please help

@broy What is your IdP? Are you getting redirected to your IdP login screen?

I have the same problem :sob: