[FEATURE] Multi-auth dashboards support for JWT

[10000-ki]

trafficstars

Is your feature request related to a problem?

What solution would you like?

Hello

we can set order of auth in opensearch

config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false

        authc:
          # oidc with jwks_uri
          jwks_auth_domain:
            description: "Authenticate via JWKS"
            http_enabled: true
            transport_enabled: false
            order: 0
            http_authenticator:
              type: openid
              challenge: false
              config:
                jwt_header: "Authorization"
                jwt_url_parameter: null
                subject_key: "sub"
                roles_key: "scp"
                jwks_uri: {{ jwksUri }}
            authentication_backend:
              type: noop

          # basic auth, using internal user db
          basic_internal_auth_domain:
            description: "Authenticate using HTTP basic against the internal users database"
            http_enabled: true
            transport_enabled: false
            order: 1
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: internal

but dashboards not

so In dashboards, jwt and basic_auth cannot be used simultaneously

What alternatives have you considered?

Do you have any additional context?

[10000-ki]

I hope it will support like opensearch

[cwperks]

@10000-ki That's correct, its not currently supported at the moment. For multi-auth, the currently supported options are openid, saml and basic. List of supported options: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/multiple/multi_auth.ts#L55-L100

I believe it would be possible to add JWT here, but there should be testing done with different combinations.

When JWT is enabled as a sign in option for dashboards you supply the token through a URL param and avoid the login page entirely.

[10000-ki]

When JWT is enabled as a sign in option for dashboards you supply the token through a URL param and avoid the login page entirely.

i see

For token-based authentication, the login screen should not be visible And for basic_auth-based authentication, the login screen should be visible

So are you saying that the test for this situation is complicated?

[stephen-crawford]

[Triage] Hi @10000-ki, thanks for filing this issue. From the conversation, it looks like the goal here is to add multi-auth support for dashboards to be able to support both Basic auth and JWT auth. I have renamed this issue for you and we can go ahead and close this when:

• [ ] There is correct UI handling for the login skip
• [ ] Tests are added on the cypress suite for checking the correct auth flows

[10000-ki]

@scrawfor99

[Triage] Hi @10000-ki, thanks for filing this issue. From the conversation, it looks like the goal here is to add multi-auth support for dashboards to be able to support both Basic auth and JWT auth. I have renamed this issue for you and we can go ahead and close this when:

• [ ] There is correct UI handling for the login skip
• [ ] Tests are added on the cypress suite for checking the correct auth flows

yes i agree

[merlinz01]

Is this currently being worked on? It is a feature I will be needing.

[stephen-crawford]

Hi @merlinz01, thanks for reaching out. This change is not currently being worked on. That being said, I did a very similar change here: https://github.com/opensearch-project/security-dashboards-plugin/pull/2076

If you are interested in contributing this feature, you could use my change as an example.

[merlinz01]

Great! I'll consider contributing.

[merlinz01]

@stephen-crawford Can you provide any help on to how to debug my changes?

https://forum.opensearch.org/t/how-to-enable-react-developer-environment/20980