Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Missing background refresh of OIDC access_token #1966

Closed
MMerzinger opened this issue May 7, 2024 · 6 comments
Closed

[BUG] Missing background refresh of OIDC access_token #1966

MMerzinger opened this issue May 7, 2024 · 6 comments
Labels
bug Something isn't working triaged

Comments

@MMerzinger
Copy link

Describe the bug

The opensearch-dashboards app does not use the OIDC refresh token, despite having refresh_tokens: true in the config.

This leads to a full page refresh every 5mins (as our access_token has a 5min ttl). In the browser log we can see that a redirect to Keycloak happens (login via Kerberos) and a new access_token is issued.

To Reproduce
Steps to reproduce the behavior:

  1. Configure Keycloak as identity provider (https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
  2. Configure opensearch with OIDC
       config.yml: |
          _meta:
            type: "config"
            config_version: 2
          config:
            dynamic:
              authc:
                basic_internal_auth_domain:
                  http_enabled: true
                  transport_enabled: true
                  order: 1
                  http_authenticator:
                    type: basic
                    challenge: false
                  authentication_backend:
                    type: intern
                openid_auth_domain:
                  http_enabled: true
                  transport_enabled: true
                  order: 0
                  http_authenticator:
                    type: openid
                    challenge: false
                    config:
                      openid_connect_idp:
                        enable_ssl: true
                        verify_hostnames: true
                        skip_users:
                          - <REMOVED>
                      subject_key: preferred_username
                      roles_key: roles
                      openid_connect_url: https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/.well-known/openid-configuration
  1. Configure opensearch-dashboards with OIDC and token_refresh: true
    opensearch_dashboards.yml:

      logging.verbose: true

      server.host: "0.0.0.0"
      
      opensearch.hosts: ["https://opensearch-cluster-master:9200"]
      opensearch.ssl.verificationMode: none # Disabled for testing
      opensearch.ssl.certificateAuthorities: [ "/path/to/our/cert/tls.crt" ]
      opensearch.username: "<REMOVED>"
      opensearch.password: "<REMOVED>"
      opensearch.requestHeadersWhitelist: [ "Authorization", "security_tenant", "securitytenant" ]
          
      opensearch_security.multitenancy.enabled: true
      opensearch_security.multitenancy.tenants.preferred: ["SHARED"]
      opensearch_security.multitenancy.tenants.enable_private: false
      opensearch_security.multitenancy.tenants.enable_global: false
      opensearch_security.readonly_mode.roles: ["kibana_read_only"]
      opensearch_security.cookie.secure: false
      opensearch_security.auth.type: "openid"
      opensearch_security.openid.refresh_tokens: true
      opensearch_security.openid.connect_url: "https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/.well-known/openid-configuration"      
      opensearch_security.openid.client_id: "opensearch"
      opensearch_security.openid.client_secret: "<REMOVED>"
      opensearch_security.openid.base_redirect_url: "https://<OPENSEARCH_HOST>"
      opensearch_security.openid.verify_hostnames: "false" # Disabled for testing
      opensearch_security.openid.scope: "openid"
      opensearch_security.openid.logout_url: "https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/protocol/openid-connect/logout"
      opensearch_security.openid.extra_storage.cookie_prefix: "security_authentication_oidc"
      opensearch_security.openid.extra_storage.additional_cookies: 10 # Usually around 3 cookies, some power users need more
  1. Make sure your access_token is issued with a ttl of about 5mins
  2. Login to opensearch-dashboards
  3. Go to discover and query any of the available index patterns. Wait here 5 mins.
  4. Open the Network Tab of the Browser Developer Tools
  5. Click on refresh (not the browser refresh -> use the refresh button of the opensearch-dashboards app)
  6. Observe that the API returns a 401 and a redirect to Keycloak

Expected behavior
The opensearch-dashboards app uses the refresh token in the background to request a new access_token (and no redirect to Keycloak).

OpenSearch Version
2.13.0

Dashboards Version
2.13.0

Plugins

All plugins installed by default (see https://opensearch.org/docs/latest/install-and-configure/plugins/#bundled-plugins).

We rely mainly on the opensearch-security, opensearch-index-management and notifications plugin.

Screenshots

keycloak-config-1

Host/Environment (please complete the following information):

  • OS: Containers from DockerHub (Amazon Linux 2023.4.20240401) with the tag 2.13.0, deployed on Kubernetes (GKE) v1.27.8-gke.1500 using the helm chart 2.19 (opensearch) and 2.17 (opensearch-dashboards)
  • Browser: Chrome 124.0.6367.119

Additional context

Related issues

We had to increase our access_token ttl as an intermediate solution, as described in the issue 1522.

@MMerzinger MMerzinger added bug Something isn't working untriaged labels May 7, 2024
@kavilla
Copy link
Member

kavilla commented May 8, 2024

@opensearch-project/admin @opensearch-project/triage could we move this to the secuirty dashboards plugin repo.

@jpelletier412
Copy link

We are experiencing the same issue with the same setup - Opensearch 2.13.0, Opensearch-Dashboards 2.13.0, using Keycloak as our Oauth provider.

@gaiksaya gaiksaya transferred this issue from opensearch-project/OpenSearch-Dashboards May 20, 2024
@stephen-crawford
Copy link
Contributor

[Triage] Hi @MMerzinger thank you for filing this issue. I think this is the result of some changes recently made by @derek-ho around handling of the refresh tokens. Derek could you share whether this is intended etc.?

@Jakob3xD
Copy link

Jakob3xD commented Jul 5, 2024

With Opensearch 2.15 it seems to be fixed. At least for me.

@derek-ho
Copy link
Collaborator

derek-ho commented Jul 5, 2024

Thanks @Jakob3xD for confirming! Yes @cwperks and @Alankarsharma merged in a fix for this in 2.15. After upgrade this problem should go away. Closing

@briend
Copy link

briend commented Jul 10, 2024

I opened a related issue that looks just like this (to me) but only affects the /app/dashboards UI #2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triaged
Projects
None yet
Development

No branches or pull requests

7 participants