Tracing JWT authentication for OpenID and debugging the JWT payload do not work

_uj · November 30, 2023, 12:12pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS/OSD 2.9

Describe the issue:
I am trying to configure OS Dashboards to use our corporate IdP (Redhat SSO) with OpenID.
Unfortunately, I am encountering the dreaded error:

Failed to get roles from JWT claims with roles_key 'resource_access.PS_CH_FO-PROD-KIBANA.roles'

I set up tracing as specified in the docs

status = error

appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n

rootLogger.level = debug
rootLogger.appenderRef.console.ref = console
logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = trace

But I do not see additional info at the JWT level.
Also I could only get the JWT token upon its expiration, e.g.:

[2023-11-30T10:09:14,483][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [mtzhlfoha14] Extracting JWT token from eyJhbGciOiJSUzI1NiIs....[TRUNCATED] failed

Indeed, the returned payload does not contain the roles field I specified (probably a configuration error).
Since I cannot control how the JWT token is formed, is there a better way to debug the JWT authentication ?
Also, is it true that nested fields are not supported, as hinted here ?

Configuration:
config.yml (partial)

openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            openid_connect_url: https://xxx.xxx.com/auth/realms/XXX/.well-known/openid-configuration
            roles_key: resource_access.PS_CH_FO-PROD-KIBANA.roles
        authentication_backend:
          type: noop

opensearch_dashboards.yml

---
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.cookie.secure: true
opensearch_security.cookie.ttl: 86400000

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: true

opensearch_security.readonly_mode.roles: [kibana_read_only]

opensearch_security.session.ttl: 86400000 
opensearch_security.session.keepalive: true

server.host: '0.0.0.0'
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.connect_url: " https://xxx.xxx.com/auth/realms/XXX/.well-known/openid-configuration"
opensearch_security.openid.client_id: "XXXXXXX"
opensearch_security.openid.client_secret: "e94d51a6-4530-4bf1-9bf9-a2a0ffba924d"
opensearch_security.openid.base_redirect_url: "https://ao-monitoring-test.xxx.xxx.net/"
opensearch_security.openid.scope: "openid"

Mantas · December 4, 2023, 8:16pm

Could you share a sample of your JWT?

Note: mask all the sensitive fields.

Thanks,
Mantas

_uj · December 5, 2023, 2:41pm

Ofc, as you will see, there is no role field in the JWT:

{
  "exp": 1701338587,
  "iat": 1701338287,
  "auth_time": 1701338287,
  "jti": "6e496072-4fff-4ed0-a448-0b31e6a6b5fd",
  "iss": "https://xxx.xxx.com/auth/realms/XXX,
  "aud": "XXXXXXX",
  "sub": "e059a6e2-bc89-44ef-a123-00639206f094",
  "typ": "ID",
  "azp": "XXXXXXX",
  "session_state": "25c0df2e-750d-4134-9bdc-9aed2b934900",
  "at_hash": "gYARoa8fWTZo-xemj9DYTg",
  "sid": "25c0df2e-750d-4134-9bdc-9aed2b934900",
  "email_verified": false,
  "address": {},
  "name": "XXX",
  "preferred_username": "XXX",
  "given_name": "XXX",
  "family_name": "XXX",
  "email": "XXX@XXXXXXX.com"
}

Hence, I have to get in touch with the IdP administrator to check what’s happening.

My grievances are about the following facts:

The JWT authentication tracing does not work
I cannot easily inspect the JWT payload (I must wait for the token expiration)

So, debugging is a bit miserable.

Mantas · December 7, 2023, 4:34pm

Hi @_uj,

I have checked in my lab and can not seem to be able to get the full token either.
As a workaround, you could try the curl command below (it works for me with a Keycloak):

curl -k --noproxy '\*' -d 'client\_id=kibana' -d 'username=\<uid>' -d 'password=\<password>' -d 'grant\_type=password' -d 'client\_secret=\<secret>' -d 'scope=openid' 'https://\<OpenID address>/auth/realms/\<realm>/protocol/openid-connect/token'

You can log your issue at OpenSearch Project · GitHub as well.

Best,
Mantas

Topic		Replies	Views
OpenID Connect - debug payload General Feedback	1	569	August 12, 2021
OpenIDConnect Integration with Google fails to retrieve roles info Security	4	767	September 20, 2021
Backend_roles in roles mapping seems to be ignored when using OpenID Security troubleshoot	9	2103	August 5, 2022
Roles key warnings Security troubleshoot	3	172	December 5, 2023
OpenID connect issue with Azure AD Security troubleshoot , configure	1	409	May 23, 2023

Tracing JWT authentication for OpenID and debugging the JWT payload do not work

Related Topics