Access to OIDC IdP through proxy is not possible

Hi,

I am currently working on setting up SSO with OIDC. However, after searching many hours, I have come to the conclusion that accessing IdPs through proxies is currently not possible. The opensearch-dashboards.yml simply does not have an appropriate configuration option (as far as I can see). This means that I am getting 502 - Bad Gateway errors from opensearch-dashboards when it tries to load the well-known endpoint.

Looking at the Elasticsearch documentation, there seem to be proxy settings in Elastic/OpenSearch for OIDC providers and setting these does not throw any errors for me (even though they are not documented for OpenSearch):

However, the endpoint is also configured in the opensearch-dashboards.yml (opensearch_security.openid.connect_url) but there is apparently no proxy setting available.

Will this feature be added or this there currently a workaround to this?

Many thanks in advance!

My setup:

  • All containers on Docker version 20.10.12
  • Starting with a docker compose v3
  • opensearchproject/opensearch:1.2.3
  • opensearchproject/opensearch-dashboards:1.2.0

@Aiko What do you use as a proxy? (I haven’t tried this yet, but can try and reproduce) Have you confirmed that it works without proxy?

Hi Anthony,

thanks for your reply! It is a corporate HTTP proxy that I don’t know all the details of. I have also done the following experiment:

  1. Set HTTP_PROXY, HTTPS_PROXY, NO_PROXY (and their lower-case variants) as environment variables for the proxy
  2. Enter the docker container of opensearch-dashboards (docker exec -ti …)
  3. Confirm that the environment variables are there
  4. Run curl to obtain the meta information from the well known endpoint → works!
  5. Remove the PROXY variables from the container
  6. Run curl again → does not work! (timeout)

The opensearch dashboard application itself does not seem to use these environment variables as behaviour seems to be the same with or without them

@Aiko
I am not able to reproduce this, my set up is as follows:

Running opensearch/Dashboards locally using docker-compose.
Using free http proxy available online to route traffic
Using Okta(oidc) as SSO.

No additional configuration for proxy was necessary in config.yml or dashboards.yml, I can DM my config across if this will help

1 Like

Sure, I would gladly take a look!

Are you sure that the traffic to your SSO actually goes through the proxy? If the SSO IdP is reachable without a proxy then this would off course work anyway.

Hi @Anthony,

many thanks for sending the configuration files, I will continue the thread here to keep things open. I have looked at your configuration but could not find any entries for a proxy connection (as you said). Can you elaborate on how your proxy is set up?

I can probably set up a transparent proxy on the docker host machine, to force all traffic through my proxy. I would however prefer the possibility to configure the proxy directly for the Kibana/Dashboards application like I am apparently able to do with OpenSearch.