Failed to get subject from JWT claims - OpenID

Security
1

Hello everyone,

I receive the following error with OpenID (Azure) configuration :

opensearch-node1         | [2021-08-12T00:21:27,615][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-node1] Failed to get subject from JWT claims, check if subject_key 'preferred_username' is correct.
opensearch-node1         | [2021-08-12T00:21:27,615][ERROR][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-node1] No subject found in JWT token
opensearch-node1         | [2021-08-12T00:21:27,616][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-node1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
opensearch-dashboards    | {"type":"log","@timestamp":"2021-08-12T00:21:27Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}

config.yml

      openid_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://login.microsoftonline.com/----/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

opensearch-dashboard.yml

opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://login.microsoftonline.com/----/v2.0/.well-known/openid-configuration"
opensearch_security.openid.client_id: "------------------------"
opensearch_security.openid.client_secret: "------------"
opensearch_security.openid.scope: "openid"
opensearch_security.openid.base_redirect_url: "http://localhost:5601"
2

@rtarek I would recommend to raise a ticket using below link to expose the JWT created from oidc. As currently there doesn’t appear to be a way to view the created JWT, which would help in your case.

3

opensearch-dashboards | {“type”:“log”,“@timestamp”:“2021-08-12T00:21:27Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“OpenId authentication failed: Error: Authentication Exception”}

Same issue , could someone help on this issue

4

Hi ,
could you please help on this issue .

5

@skopen What OpenId provider are you using? Which way are you running opensearch: HELM, docker-compose, RPM?

6

@Anthony: thanks for reply
Implementing opensearch using helm able to ocnnect through localhost but when iI’m trying to setup OpenID integration with azure, keep on getting too many redirects url.From log i noticed below error
{“type”:“log”,“@timestamp”:“2021-11-:50:26Z”,“tags”:[“debug”,“opensearch”,“opendistro_security”,“query”],“pid”:1,“message”:“401\nGET /_plugins/_security/authinfo\n”}
{“type”:“log”,“@timestamp”:“2021-11-:50:26Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“OpenId authentication failed: Error: Authentication Exception”}

7

@skopen
I recently uploaded example of Azure integration to a github repo here

I would recommend to clone and run docker-compose up. The username and password are in the README file.

The config is included and is mapped as volumes. See if you can get it working by point it to your Azure, by changing the config.yaml and dashboards.yaml. If not, maybe the issue is from Azure configuration

8

@Anthony , thank you for sharing the repo. tried with above configuration usng docker-compose

Getting below error
connectionError]: getaddrinfo ENOTFOUND opensearch-node1 opensearch-node1:9200