Use custom `subject_key` for OIDC auth

soham · January 25, 2023, 6:10pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch Version 1.2.4

Describe the issue:
I have a oidc auth enabled for opensearch with auth0.
In the internal_users.yml the admin username is admin but auth0 returns admin@gmail.com as the default subject key. I have added a custom claim in JWT which will return admin. But I see error logs stating that no subject found for the new custom claim. I have attached the required logs for the same. Is there a way I can log the received JWT and cross-verify. Please let know.

Configuration:

Relevant Logs or Screenshots:
multi-node-wazuh1.indexer-1 | [2023-01-25T17:57:04,563][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [wazuh1.indexer] Failed to get subject from JWT claims, check if subject_key ‘nickname’ is correct.
multi-node-wazuh1.indexer-1 | [2023-01-25T17:57:04,564][ERROR][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [wazuh1.indexer] No subject found in JWT token
multi-node-wazuh.dashboard-1 | {“type”:“log”,“@timestamp”:“2023-01-25T17:57:04Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:38,“message”:“OpenId authentication failed: Error: Authentication Exception”}

cwperks · January 26, 2023, 10:04pm

Hi @soham, if you have oidc configured as the only authentication backend in authc, then the internal_users list will not have any effect on the cluster. internal_users is used with http basic authentication with the internal backend. You can see an example configuration here: OpenID Connect - OpenSearch documentation

You do not need to setup the internal backend for admin access, you can also use backend roles for mapping a user from an external IdP to the all_access reserved role of OpenSearch.

From this section you can see that by default the backend role admin will map to all_access and you can also modify the security plugins roles_mapping.yml to modify what backend roles map to all access.

The roles_key is used to extract backend roles from the JWT that is returned from the OIDC server so make sure that there is a scope that contains roles that is passed to OpenSearch.