security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG] OpenID redirects to "/" after upgrading opensearch to 2.12.0

Open RobinAdvens opened this issue 1 year ago • 5 comments

Describe the bug Since I upgraded from 2.11.1 to 2.12.0, I encounter a bug in redirection with openID (keycloak) at the end of authentification process.

Fom https://myUrl.com/clusterName/app/login I click on log in with single sign-on which redirect to https://myUrl.com/clusterName/auth/openid/captureUrlFragment?nextUrl=%2F then at the end of the authentication I'm redirected to https://myUrl.com/ instead of https://myUrl.com/clusterName/

I don't have issue if I tried to connect from an other path, for example if I tried to connect to https://myUrl.com/clusterName/app/home, I'll be redirected to https://myUrl.com/clusterName/app/login?nextUrl=%2FclusterName%2Fapp%2Fhome and then my url for ipd is https://myUrl.com/clusterName/auth/openid/captureUrlFragment?nextUrl=%2FclusterName%2Fapp%2Fhome

When I was in 2.11.1, opensearch was giving me https://myUrl.com/clusterName/auth/openid/login url for keycloack and everything was working perfectly.

I'm using opensearch with opensearch operator on kubernetes.

OpenSearch Version OpenSearch and OpenSearch-dashboard are both in 2.12.0 and 2.13.0 opensearch-operator is in 2.4.0

Additional context Par of my dashboards-config :

opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.cookie.secure: true
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.openid.base_redirect_url: https://myUrl.com/clusterName/
opensearch_security.openid.client_id: ops-clusterName
opensearch_security.openid.connect_url: https://idp.myUrl.com/realms/broker/.well-known/openid-configuration
opensearch_security.openid.header: Authorization
opensearch_security.openid.refresh_tokens: true
opensearch_security.openid.scope: openid profile email
opensearch_security.session.keepalive: true
server.basePath: /clusterName
server.name: clusterName-dashboards
server.rewriteBasePath: true

RobinAdvens avatar Apr 15 '24 17:04 RobinAdvens

I have a similar problem with version 2.13

uranru avatar Apr 16 '24 10:04 uranru

The redirection error suggests that the application might be ignoring or incorrectly processing the basePath or base_redirect_url after authentication. I don't think we update anything for basePath. For opensearch_security.openid.base_redirect_url, this is to ensure that after authentication, the user is redirected back to the right base URL, which includes the cluster name.

ananzh avatar Apr 16 '24 16:04 ananzh

@opensearch-project/admin could you help us to redirect it to the security team?

ananzh avatar Apr 16 '24 17:04 ananzh

Looks like a regression introduced by https://github.com/opensearch-project/security-dashboards-plugin/pull/1563

Taking a look. Also related: https://github.com/opensearch-project/security-dashboards-plugin/issues/1823

cwperks avatar Apr 18 '24 12:04 cwperks

[Triage] Hi @RobinAdvens thank you for filing this issue. Looks like #1899 will resolve this issue. We can close this when that PR is merged.

stephen-crawford avatar Apr 22 '24 15:04 stephen-crawford

https://github.com/opensearch-project/security-dashboards-plugin/pull/1899 was merged

derek-ho avatar May 13 '24 15:05 derek-ho