Unauthorized using azure oidc jwt

AdiD · May 31, 2023, 10:48am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.5.0

Describe the issue:
I’m trying to integrate opensearch with auzre oidc using jwt but i’m getting unauthorized.
There is a reverse proxy inbetween opensearch-dashboards and azure.

We hit the opensearch-dashboards url in the browser, which is picked up by the proxy (which is configured with the client secret, client id and injects the auth header), then it does a proxy_pass to opensearch-dashboards which in turn is connected to opensearc.

Configuration:

security plugin:
authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/<orgid>/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

Relevant Logs or Screenshots:

opensearch log:
[2023-05-31T12:34:07,868][INFO ][stdout                   ] [node-1] AUDIT_LOG: {
[2023-05-31T12:34:07,868][INFO ][stdout                   ] [node-1]   "audit_cluster_name" : "opensearch",
[2023-05-31T12:34:07,868][INFO ][stdout                   ] [node-1]   "audit_node_name" : "node-1",
[2023-05-31T12:34:07,868][INFO ][stdout                   ] [node-1]   "audit_rest_request_method" : "GET",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_category" : "FAILED_LOGIN",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_request_origin" : "REST",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_node_id" : "v8vX5z4xT_GEDDD7J9eXXA",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_request_layer" : "REST",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_rest_request_path" : "/_plugins/_security/authinfo",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "@timestamp" : "2023-05-31T10:34:07.868+00:00",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_request_effective_user_is_admin" : false,
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_format_version" : 4,
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_request_remote_address" : "10.145.160.62",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_node_host_address" : "10.145.160.62",
[2023-05-31T12:34:07,869][INFO ][stdout                   ] [node-1]   "audit_rest_request_headers" : {
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     "x-opensearch-product-origin" : [
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]       "opensearch-dashboards"
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     ],
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     "Connection" : [
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]       "keep-alive"
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     ],
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     "x-opaque-id" : [
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]       "fe9fff00-f3ca-46f6-a687-5cad1d9ef9ce"
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     ],
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     "Host" : [
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]       "<sanitized>:9200"
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     ],
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     "Content-Length" : [
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]       "0"
[2023-05-31T12:34:07,870][INFO ][stdout                   ] [node-1]     ]
[2023-05-31T12:34:07,871][INFO ][stdout                   ] [node-1]   },
[2023-05-31T12:34:07,871][INFO ][stdout                   ] [node-1]   "audit_request_effective_user" : "<NONE>",
[2023-05-31T12:34:07,871][INFO ][stdout                   ] [node-1]   "audit_node_host_name" : "<sanitized>"
[2023-05-31T12:34:07,871][INFO ][stdout                   ] [node-1] }
[2023-05-31T12:34:07,871][WARN ][o.o.s.a.BackendRegistry  ] [node-1] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'

opensearch-dashboards access log:
{"type":"response","@timestamp":"2023-05-31T10:34:07Z","tags":[],"pid":101048,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"<sanitized>","sec-ch-ua":"\"Chromium\";v=\"112\", \"Google Chrome\";v=\"112\", \"Not:A-Brand\";v=\"99\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://<sanitized>/","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8","x-forwarded-for":"10.192.43.41","x-forwarded-proto":"https","x-envoy-internal":"true","x-request-id":"<sanitized>","x-envoy-expected-rq-timeout-ms":"3000","x-b3-traceid":"3b8b5f8721d6c565e4a46c35117d38e9","x-b3-spanid":"d9ee07048e8a806a","x-b3-parentspanid":"e4a46c35117d38e9","x-b3-sampled":"1"},"remoteAddress":"10.147.52.32","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","referer":"https://<sanitized>/"},"res":{"statusCode":401,"responseTime":5,"contentLength":9},"message":"GET /favicon.ico 401 5ms - 9.0B"}

pablo · May 31, 2023, 11:09am

@AdiD Are you getting redirected to Auzre login page?

AdiD · May 31, 2023, 11:33am

Yes, i get a redirect to azure and then get redirected back to the opensearch-dashboards url and get the 401.

pablo · May 31, 2023, 11:38am

@AdiD How did you configure your roles in Azure?
Unauthorized means that authenticated user is not allowed for any actions in OpenSearch. This is mostly due to missing roles/permissions.

AdiD · June 6, 2023, 10:36pm

I gave it every possible role in azure.
From what i can tell it complains that there is no authorization header at all.
Can we make it log all the request headers it receives so we can see if there is one or not?

pablo · June 22, 2023, 2:37pm

@AdiD Did you create an App Role and assigned to the user in Enterprise Applications?

Topic		Replies	Views
OIDC Integration: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} Security configure	7	1146	April 26, 2023
OpenId Connect authentication using jwt_url_parameter Security	1	394	January 26, 2023
Getting Unauthorized access error 401 using openid with idp as azure Security troubleshoot , configure , security-issue	6	399	June 21, 2023
Opensearch Dashboard OpenID not working Security troubleshoot	9	1386	May 27, 2022
Integrating openid connect with opensearch throws an 401 unauthroised error , using azure ad as our idp Security troubleshoot , configure	37	1149	November 27, 2023

Unauthorized using azure oidc jwt

Related Topics