Login with jwt token as parameter in url

Hello
My project is to be able to display an opensearch dashboard in a iframe without showing the opensearch login page
For that, i would like to use the jwt_token as the url parameter : for example : the src field of the iframe would be "localhost:5601/app/dashboards?security_tenant=global#/view/edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b?embed=true?jwt_token={myjwttoken}
For that , i change the config.yml by upgrading the section

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "usuxqaUmbbe0VqN+Q90KCk5sXHCfEVookMRyEXAMPLE="
            jwt_header: "Authorization"
            jwt_url_parameter: jwt_token
            roles_key: roles
            subject_key: sub
        authentication_backend:
          type: noop

I generate a jwt token with the following payload:

{
  "sub": "admin",
  "roles": "admin"
}

and add it to the url

When i load my html page, the beginning seems to be ok until i received 401 to internal request like GET /api/v1/restapiinfo , GET /api/v1/configuration/account

i also add to the opensearch-dasboard.yml config :
opensearch.requestHeadersWhitelist: [ Authorization,securitytenant , authorization, jwt_token]

Is there something i missed ?
Thanks

@emarce
The config looks ok, can you elaborate on what the issue is?

When you embed iframe with the jwt_token into empty html, what do you see when you open it in browser?

How do you call the APIs you mentioned?

My conf are also exactly the same and I am also getting the same behaviour.

jwt_auth_domain:
description: “Authenticate via Json Web Token”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “MTg5MjU4MjlGQzIxOUZEWDJFQUI5RjFBMTZGRTBBNTRFOERGMjdERjIzOUMxRkIxODZBOEJDMUY0NjY0NjI3Mg==”
jwt_header: “Authorization”
jwt_url_parameter: jwt_token
roles_key: roles
subject_key: sub

Url:
http://0.0.0.0:5601/app/dashboards?jwt_token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsIm5iZiI6MTYzNDIwNzU5NywiaXNVc2UyRkEiOmZhbHNlLCJyb2xlcyI6ImFkbWluIiwiaXNzIjoiZW5zby1zZXJ2ZXIiLCJleHAiOjE2MzQyMTExOTcsImlhdCI6MTYzNDIwNzU5NywidXNlcm5hbWUiOiJhZG1pbiJ9.1wS9Wr-JbR0HCAIqpWzmVdzER-afBFVdbYMCFSab7h0&security_tenant=global#/view/7adfa750-4c81-11e8-b3d7-01146121b73d?embed=true&_g=(filters:!(),refreshInterval:(pause:!f,value:900000),time:(from:now-24h,to:now))&_a=(description:‘Analyze%20mock%20flight%20data%20for%20OpenSearch-Air,%20Logstash%20Airways,%20OpenSearch%20Dashboards%20Airlines%20and%20BeatsWest’,filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:’’),timeRestore:!t,title:’%5BFlights%5D%20Global%20Flight%20Dashboard’,viewMode:view)

Opensearch logs:

{“type”:“response”,"@timestamp":“2021-10-14T11:09:48Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:302,“req”:{“url”:"/app/dashboards?jwt_token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsIm5iZiI6MTYzNDIwNzU5NywiaXNVc2UyRkEiOmZhbHNlLCJyb2xlcyI6ImFkbWluIiwiaXNzIjoiZW5zby1zZXJ2ZXIiLCJleHAiOjE2MzQyMTExOTcsImlhdCI6MTYzNDIwNzU5NywidXNlcm5hbWUiOiJhZG1pbiJ9.1wS9Wr-JbR0HCAIqpWzmVdzER-afBFVdbYMCFSab7h0&security_tenant=global",“method”:“get”,“headers”:{“host”:“0.0.0.0:5601”,“connection”:“keep-alive”,“upgrade-insecure-requests”:“1”,“user-agent”:"–",“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”,“accept-encoding”:“gzip, deflate”,“accept-language”:“en-US,en;q=0.9”},“remoteAddress”:"–",“userAgent”:"–"},“res”:{“statusCode”:302,“responseTime”:4,“contentLength”:9},“message”:“GET /app/dashboards?jwt_token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsIm5iZiI6MTYzNDIwNzU5NywiaXNVc2UyRkEiOmZhbHNlLCJyb2xlcyI6ImFkbWluIiwiaXNzIjoiZW5zby1zZXJ2ZXIiLCJleHAiOjE2MzQyMTExOTcsImlhdCI6MTYzNDIwNzU5NywidXNlcm5hbWUiOiJhZG1pbiJ9.1wS9Wr-JbR0HCAIqpWzmVdzER-afBFVdbYMCFSab7h0&security_tenant=global 302 4ms - 9.0B”}

If I pass the same token as header param it works, but in our case we want to pass as request param as shown in the url.