Tracing JWT authentication for OpenID and debugging the JWT payload do not work

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS/OSD 2.9

Describe the issue:
I am trying to configure OS Dashboards to use our corporate IdP (Redhat SSO) with OpenID.
Unfortunately, I am encountering the dreaded error:

Failed to get roles from JWT claims with roles_key 'resource_access.PS_CH_FO-PROD-KIBANA.roles'

I set up tracing as specified in the docs

status = error

appender.console.type = Console = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n

rootLogger.level = debug
rootLogger.appenderRef.console.ref = console =
logger.securityjwt.level = trace

But I do not see additional info at the JWT level.
Also I could only get the JWT token upon its expiration, e.g.:

[2023-11-30T10:09:14,483][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [mtzhlfoha14] Extracting JWT token from eyJhbGciOiJSUzI1NiIs....[TRUNCATED] failed

Indeed, the returned payload does not contain the roles field I specified (probably a configuration error).
Since I cannot control how the JWT token is formed, is there a better way to debug the JWT authentication ?
Also, is it true that nested fields are not supported, as hinted here ?

config.yml (partial)

        http_enabled: true
        transport_enabled: true
        order: 2
          type: openid
          challenge: false
            subject_key: preferred_username
            roles_key: resource_access.PS_CH_FO-PROD-KIBANA.roles
          type: noop


opensearch.requestHeadersWhitelist: [authorization, securitytenant] true
opensearch_security.cookie.ttl: 86400000

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: true

opensearch_security.readonly_mode.roles: [kibana_read_only]

opensearch_security.session.ttl: 86400000 
opensearch_security.session.keepalive: true ''
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.connect_url: ""
opensearch_security.openid.client_id: "XXXXXXX"
opensearch_security.openid.client_secret: "e94d51a6-4530-4bf1-9bf9-a2a0ffba924d"
opensearch_security.openid.base_redirect_url: ""
opensearch_security.openid.scope: "openid"

Could you share a sample of your JWT?

Note: mask all the sensitive fields.


Ofc, as you will see, there is no role field in the JWT:

  "exp": 1701338587,
  "iat": 1701338287,
  "auth_time": 1701338287,
  "jti": "6e496072-4fff-4ed0-a448-0b31e6a6b5fd",
  "iss": ",
  "aud": "XXXXXXX",
  "sub": "e059a6e2-bc89-44ef-a123-00639206f094",
  "typ": "ID",
  "azp": "XXXXXXX",
  "session_state": "25c0df2e-750d-4134-9bdc-9aed2b934900",
  "at_hash": "gYARoa8fWTZo-xemj9DYTg",
  "sid": "25c0df2e-750d-4134-9bdc-9aed2b934900",
  "email_verified": false,
  "address": {},
  "name": "XXX",
  "preferred_username": "XXX",
  "given_name": "XXX",
  "family_name": "XXX",
  "email": ""

Hence, I have to get in touch with the IdP administrator to check what’s happening.

My grievances are about the following facts:

  • The JWT authentication tracing does not work
  • I cannot easily inspect the JWT payload (I must wait for the token expiration)

So, debugging is a bit miserable.

Hi @_uj,

I have checked in my lab and can not seem to be able to get the full token either.
As a workaround, you could try the curl command below (it works for me with a Keycloak):

curl -k --noproxy '\*' -d 'client\_id=kibana' -d 'username=\<uid>' -d 'password=\<password>' -d 'grant\_type=password' -d 'client\_secret=\<secret>' -d 'scope=openid' 'https://\<OpenID address>/auth/realms/\<realm>/protocol/openid-connect/token'

You can log your issue at OpenSearch Project · GitHub as well.