"statusCode":401 while redirecting back to opensearch-dashboard using OIDC

Mantas · July 31, 2023, 1:52pm

**On behalf of a user of Slack **

"
I have configured OIDC, which gets past the sign-in part but on the redirect back to opensearch-dashboard i get this {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
current configs:

      opensearch.ssl.verificationMode: none
      opensearch.requestHeadersWhitelist: '["Authorization", "securitytenant"]'
      opensearch_security.multitenancy.enabled: "true"
      opensearch_security.multitenancy.tenants.preferred: '["Private", "Global"]'
      opensearch_security.auth.multiple_auth_enabled: "true"
      opensearch_security.auth.type: '["openid","basicauth"]'
      opensearch_security.openid.connect_url: "https://login.microsoftonline.com/REDACTED/v2.0/.well-known/openid-configuration"
      opensearch_security.openid.client_id: "REDACTED"
      opensearch_security.openid.client_secret: "${OPENID_CLIENT_SECRET}"
      opensearch_security.openid.scope: "openid profile email"
      opensearch_security.openid.base_redirect_url: https://opensearch.example.com/

config.yml


    _meta:
      type: "config"
      config_version: "2"
    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: "4"
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          openid_auth_domain:
            order: 6
            http_enabled: true
            transport_enabled: true
            http_authenticator:
              type: openid
              challenge: false
              config:
                enable_ssl: true
                verify_hostnames: true
                subject_key: preferred_username
                roles_key: groups
                openid_connect_url: https://login.microsoftonline.com/REDACTED/v2.0/.well-known/openid-configuration
            authentication_backend:
              type: noop

"

Gsmitt · August 1, 2023, 4:51am

@Mantas

What is he using for OIDC? I am familar with Keycloak.

Okta
Keycloak
Auth0
Connect2ID
Salesforce
IBM OpenID Connect

ctenberge · August 1, 2023, 5:34pm

We are using Azure AD App.

pablo · August 1, 2023, 8:08pm

@ctenberge Have you set app roles in App registrations and assigned them to the user in Enterprise applications?

Also, when you use app roles, your roles_key must be set to roles instead of groups.

rtamil · March 26, 2024, 3:56pm

@ctenberge Were you able to resolve the issue ?

ctenberge · March 26, 2024, 6:22pm

Yes, I believe @pablo 's suggestion resolved my issue.

Topic		Replies	Views
Unauthorized error 401 while accessing app using sso oidc OpenSearch security-issue	7	124	December 10, 2024
OIDC Integration: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} Security configure	7	2321	April 26, 2023
OpenSearch Dashboards 401 Unauthorized using OIDC with Keycloak Security	12	6704	February 15, 2023
Both Opensearch backend and dashboard replys 401 in oidc configuration Security troubleshoot , configure	3	91	December 10, 2024
Getting Unauthorized access error 401 using openid with idp as azure Security troubleshoot , configure , security-issue	6	520	June 21, 2023

"statusCode":401 while redirecting back to opensearch-dashboard using OIDC

Related topics