Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS/OSD 2.9
Describe the issue:
I am trying to configure OS Dashboards to use our corporate IdP (Redhat SSO) with OpenID.
Unfortunately, I am encountering the dreaded error:
Failed to get roles from JWT claims with roles_key 'resource_access.PS_CH_FO-PROD-KIBANA.roles'
I set up tracing as specified in the docs
status = error
appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
rootLogger.level = debug
rootLogger.appenderRef.console.ref = console
logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = trace
But I do not see additional info at the JWT level.
Also I could only get the JWT token upon its expiration, e.g.:
[2023-11-30T10:09:14,483][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [mtzhlfoha14] Extracting JWT token from eyJhbGciOiJSUzI1NiIs....[TRUNCATED] failed
Indeed, the returned payload does not contain the roles field I specified (probably a configuration error).
Since I cannot control how the JWT token is formed, is there a better way to debug the JWT authentication ?
Also, is it true that nested fields are not supported, as hinted here ?
Configuration:
config.yml (partial)
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
openid_connect_url: https://xxx.xxx.com/auth/realms/XXX/.well-known/openid-configuration
roles_key: resource_access.PS_CH_FO-PROD-KIBANA.roles
authentication_backend:
type: noop
opensearch_dashboards.yml
---
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.cookie.secure: true
opensearch_security.cookie.ttl: 86400000
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: true
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true
server.host: '0.0.0.0'
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.connect_url: " https://xxx.xxx.com/auth/realms/XXX/.well-known/openid-configuration"
opensearch_security.openid.client_id: "XXXXXXX"
opensearch_security.openid.client_secret: "e94d51a6-4530-4bf1-9bf9-a2a0ffba924d"
opensearch_security.openid.base_redirect_url: "https://ao-monitoring-test.xxx.xxx.net/"
opensearch_security.openid.scope: "openid"