Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch version: 3.0.0.0
Helm Chart
Openshift Environment
Describe the issue:
OIDC integration not working
Configuration:
Dashboard:
---------
config:
# Default OpenSearch Dashboards configuration from docker image of Dashboards
#https://docs.opensearch.org/docs/latest/security/configuration/multi-auth
opensearch_dashboards.yml: |
server.name: opensearch-dashboards
server.host: 0.0.0.0
opensearch.hosts: "https://opensearch-cluster-master.oshci.svc.cluster.local:9200"
server.ssl.certificate: /usr/share/opensearch-dashboards/certs/dashboard/hci-tls.crt
server.ssl.key: /usr/share/opensearch-dashboards/certs/dashboard/hci-tls.key
server.ssl.enabled: true
opensearch.ssl.verificationMode: none
#opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificate: /usr/share/opensearch-dashboards/certs/opensearch/tls.crt
opensearch.ssl.key: /usr/share/opensearch-dashboards/certs/opensearch/tls.key
opensearch.ssl.certificateAuthorities: /usr/share/opensearch-dashboards/certs/opensearch/ca.crt
opensearch.requestHeadersAllowlist: ["security_tenant","Authorization"]
opensearch_security.openid.header: Authorization
opensearch_security.openid.scope: "openid profile email groups blueGroups emailAddress"
#opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
#opensearch_security.openid.trust_dynamic_headers: "true"
#OIDC
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: [ "kibana_read_only" ]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.ui.openid.login.buttonname: "OIDC-IBM-W3"
opensearch_security.openid.connect_url: https://oidc_server/oidc/endpoint/default/.well-known/openid-configuration
opensearch_security.openid.base_redirect_url: "https://dashboard-oshci.domain"
server.rewriteBasePath: false
opensearch_security.openid.client_id: *******
opensearch_security.openid.client_secret: *******
logging.verbose: true
opensearch_security.openid.verify_hostnames: false
opensearch_security.openid.refresh_tokens: false
opensearch_security.openid.extra_storage.cookie_prefix: security_authentication_oidc
opensearch_security.openid.extra_storage.additional_cookies: 3
opensearch_security.cookie.isSameSite: "None"
opensearch_security.cookie.secure: true
opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/certs/oidc/oidc-ca.crt
---------
Opensearch:
--------
config:
opensearch.yml: |
cluster.name: opensearch-cluster
indices.query.bool.max_clause_count: 10000
network.host: 0.0.0.0
cluster.routing.allocation.same_shard.host: true
discovery.seed_hosts: [“opensearch-cluster-master-0:9200”, “opensearch-cluster-master-1:9200”, “opensearch-cluster-master-2:9200”]
plugins.security.ssl.transport.pemcert_filepath: certs/tls.crt
plugins.security.ssl.transport.pemkey_filepath: certs/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/ca.crt
plugins.security.ssl.transport.truststore_type: JKS
plugins.security.ssl.transport.truststore_filepath: certs/keystore.jks
plugins.security.ssl.transport.keystore_password: changeit
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/tls.crt
plugins.security.ssl.http.pemkey_filepath: certs/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: certs/ca.crt
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
"Removed Due to Security reason"
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.cache.ttl_minutes: 60
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.roles_mapping_resolution: BOTH
#plugins.security.allow_default_init_securityindex: false
logger.org.opensearch.index.reindex: debug
plugins.security.system_indices.permission.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
plugins.security.ssl.http.clientauth_mode: OPTIONAL
plugins.security.nodes_dn:
"Removed Due to Security reason"
#logger.securityjwt.level: trace
log4j2.properties: |
status = error
appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
rootLogger.level = info
rootLogger.appenderRef.console.ref = console
opensearch OIDC Config:
--------
config:
securityConfigSecret: ""
dataComplete: true
data:
action_groups.yml: |-
_meta:
type: "actiongroups"
config_version: 2
config.yml: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
#internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: true
authentication_backend:
type: "intern"
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: "preferred_username"
roles_key: "roles"
skip_users:
- kibanaserver
openid_connect_idp.enable_ssl: true
#pemtrustedcas_filepath: /usr/share/opensearch/config/certs/oidc/oidc-ca.crt
pemtrustedcas_content: |-
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
-----END CERTIFICATE-----
openid.connect_url: https://oidc_server/oidc/endpoint/default/.well-known/openid-configuration
jwks_uri: https://oidc_server/oidc/endpoint/default/jwks
client_id: *******
client_secret: *****
authentication_backend:
type: noop
internal_users.yml: |-
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2y$12$i3cnDljusRzpG6nYQgIbbOxbheAKISjTFTkWtpSG2Wj7.7KV1rcr6"
reserved: true
hidden: false
backend_roles:
- "admin"
attributes: {}
description: "Super admin user"
static: false
osmanager:
hash: "$2y$12$PAoUOgrYCLj7vguepMpvGur9go6p9biT143bfvEYT/epuL/drYxTO"
reserved: true
hidden: false
backend_roles:
- "admin"
attributes: {}
description: "OSe Manager"
static: false
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
hidden: false
backend_roles: []
attributes: {}
description: "Demo kibanaserver user"
static: false
nodes_dn.yml: |-
_meta:
type: "nodesdn"
config_version: 2
trustednodes:
nodes_dn:
"Removed Due to security Reason"
roles_mapping.yml: |-
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: true
backend_roles:
- "admin"
description: "Maps admin to all_access"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
kibana_server:
reserved: true
users:
- "kibanaserver"
pltf-br-test:
reserved: false
hidden: false
backend_roles:
#- "cn=pltf-br-test,ou=memberlist,ou=..groupd,o=**.com"
hosts: []
users: []
and_backend_roles: []
description: "Maps BR Test Users"
roles.yml: |-
_meta:
type: "roles"
config_version: 2
tenants.yml: |-
_meta:
type: "tenants"
config_version: 2
admin_tenant:
reserved: false
description: "Demo tenant for admin user"
whitelist.yml: |-
_meta:
type: "whitelist"
config_version: 2
--------
Using Self-signed certificate
Relevant Logs or Screenshots:
opensearch pod logs:
---------------
[2025-06-20T03:00:21,122][INFO ][o.o.p.PluginsService ] [opensearch-cluster-master-2] PluginService:onIndexModule index:[security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg]
[2025-06-20T03:00:21,125][INFO ][o.o.c.m.MetadataMappingService] [opensearch-cluster-master-2] [security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg] update_mapping [_doc]
[2025-06-20T03:00:23,074][INFO ][o.o.m.c.MLSyncUpCron ] [opensearch-cluster-master-2] Skipping sync up job - ML model index not found
[2025-06-20T03:00:24,304][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-2] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2025-06-20T03:00:26,302][INFO ][o.o.p.PluginsService ] [opensearch-cluster-master-2] PluginService:onIndexModule index:[security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg]
[2025-06-20T03:00:26,306][INFO ][o.o.c.m.MetadataMappingService] [opensearch-cluster-master-2] [security-auditlog-2025.06.20/4zAvMH5DRO6KK8ETsbmLLg] update_mapping [_doc]
[2025-06-20T03:00:26,400][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [opensearch-cluster-master-2] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[?:?]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
-----------------
Dashboard Logs:
----
{"type":"ops","@timestamp":"2025-06-20T12:53:36Z","tags":[],"pid":1,"os":{"load":[0.89,1.5,1.98],"mem":{"total":2151329705984,"free":2036504399872},"uptime":4486116.16},"proc":{"uptime":90794.295834957,"mem":{"rss":248389632,"heapTotal":173371392,"heapUsed":159856824,"external":4239351,"arrayBuffers":779443},"delay":0.8080825805664062},"load":{"requests":{"5601":{"total":0,"disconnects":0,"statusCodes":{}}},"responseTimes":{"5601":{"avg":null,"max":0}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 152.5MB uptime: 25:13:14 load: [0.89 1.50 1.98] delay: 0.808"}
{"type":"log","@timestamp":"2025-06-20T12:53:40Z","tags":["debug","connection","econnreset"],"pid":1,"message":"ECONNRESET: Socket was closed by the client (probably the browser) before it could be read completely"}
{"type":"log","@timestamp":"2025-06-20T12:53:40Z","tags":["debug","connection","econnreset"],"pid":1,"message":"ECONNRESET: Socket was closed by the client (probably the browser) before it could be read completely"}
{"type":"log","@timestamp":"2025-06-20T12:53:40Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2025-06-20T12:53:40Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/auth/openid/login?grant_id=2784b009-8360-4ccf-839c-9f36bd0472ee&state=93CYN8OGcmdWiuHFm0RZqL","method":"get","headers":{"host":"dashboard-oshci.apps.nrexhci.net.ibm.com","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","sec-fetch-site":"same-site","priority":"u=0, i","sec-fetch-mode":"navigate","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15","accept-language":"en-US,en;q=0.9","sec-fetch-dest":"document","referer":"https://oidc_host/","accept-encoding":"gzip, deflate, br","connection":"keep-alive"},"remoteAddress":"10.131.4.2","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15","referer":"https://login.w3.ibm.com/"},"res":{"statusCode":401,"responseTime":571,"contentLength":9},"message":"GET /auth/openid/login?code=grant_id=2784b009-8360-4ccf-839c-9f36bd0472ee&state=93CYN8OGcmdWiuHFm0RZqL 401 571ms - 9.0B"}
{"type":"log","@timestamp":"2025-06-20T12:53:41Z","tags":["debug","metrics"],"pid":1,"message":"Refreshing metrics"}
{"type":"ops","@timestamp":"2025-06-20T12:53:41Z","tags":[],"pid":1,"os":{"load":[0.82,1.48,1.97],"mem":{"total":2151329705984,"free":2036502560768},"uptime":4486121.16},"proc":{"uptime":90799.296298438,"mem":{"rss":248893440,"heapTotal":173371392,"heapUsed":160311328,"external":4261035,"arrayBuffers":801063},"delay":0.7497625350952148},"load":{"requests":{"5601":{"total":1,"disconnects":0,"statusCodes":{"401":1}}},"responseTimes":{"5601":{"avg":571,"max":571}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 152.9MB uptime: 25:13:19 load: [0.82 1.48 1.97] delay: 0.750"}
-----
please help