security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard
verified publisher icon opensearch-project

Redirect back to the originally-requested url after authentication with SSO - OIDC

Open hagaram opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe.

When user has opensearch dashboards opened in the browser, leaves the PC for few hours, returns back - session might be logged out. But the user was browsing some URL before he was logged out and would like to return to the same page after login.

Same behaviour occurs if someone sends the userlink e.g. some search...he is redirected to login via SSO, and after login he ends up on the "home page" of opensearch, no on the requested URL.

Describe the solution you'd like

Opensearch should remember or communicate somehow with the IDP: A) the URL he was browsing before the logout B) the URL hes trying to access before login

Describe alternatives you've considered Nothing comes to my mind really.

hagaram avatar May 10 '24 12:05 hagaram

@hagaram thanks for opening.

@opensearch-project/admin please re-direct this to security dashboards plugin.

kavilla avatar May 14 '24 07:05 kavilla

[Triage] @hagaram can you provide some more information about your setup? Are you using basepath with opensearch dashboards? There was a recent fix for dashboards with base path, but it will be released in 2.15: https://github.com/opensearch-project/security-dashboards-plugin/pull/1899.

derek-ho avatar May 20 '24 15:05 derek-ho

Thank you very much for replying @derek-ho . Sure!

This is opensearch security plugins config:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    #kibana:
    # Kibana multitenancy
    #multitenancy_enabled: true
    #server_username: kibanaserver
    #index: '.kibana'
# OpenID settings
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: ".*"
        remoteIpHeader: "x-forwarded-for"
    authc:
      # In order for Dashboards to access OpenSearch, you must first use
      # authentication_backend.type: internal
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            enable_ssl: true
            verify_hostnames: true
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://XXXXXX.XXXXX.XXXXX/realms/XXXXXX/.well-known/openid-configuration
            kibana_url: https://XXXXX.XXXXXX.XXXX
        authentication_backend:
          type: noop
    authz: {}

OSE dashboard config

server.port: 5601
server.host: "0.0.0.0"
opensearch.hosts: ["https://XXXXX.XXXXXX.XXXX:9200","https://XXXX.XXXX.XXXX:9200","https://XXXXX.XXX.XXXXX:9200"]
opensearch.username: "XXXXXXX"
opensearch.password: "XXXXXXXX"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]


opensearch.ssl.verificationMode: "full"
*****

opensearch_security.cookie.secure: true

# OpenID settings
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true

opensearch_security.openid.base_redirect_url: "https://XXXX.XXXX.XXX"
opensearch_security.openid.client_id: "XXXX.XXXX.XXXX"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "XXXXXXXXX"
opensearch_security.openid.connect_url: "https://XXXXX.XXXX.XXXX/realms/XXXX/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true

opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true
opensearch_security.ui.openid.login.buttonname: Sign in with XXXXXXX ID
opensearch.requestTimeout: 1200000
opensearch_security.openid.refresh_tokens: true

hagaram avatar Jun 03 '24 11:06 hagaram

Hello, I have been struggling with this same issue, and believe to have found the issue. The ResponseType/ResponseMode seems to be set as "fragment", after reading this comment: https://github.com/keycloak/keycloak/issues/26405#issuecomment-1907880982 It would seem that setting it to "query" would fix the issue.

I have also had success in replacing the # after "data-explorer%2Fdiscover" with %23 https://opensearchlink/app/login?nextUrl=%2Fapp%2Fdata-explorer%2Fdiscover%23?_a=(discover:(columns:!(_source),isDirty:!f,sort:!()),metadata:(indexPattern:logpattern,view:discover))&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))&_q=(filters:!(),query:(language:kuery,query:%27%27))

Samoht11 avatar Jul 18 '24 12:07 Samoht11

@Samoht11 How did you set the responseMode to query instead of default "fragment" ?

ahmadabulaban avatar Aug 08 '24 11:08 ahmadabulaban

In my case (v. 2.15) it work with shortened shared URLs, but not when I copy the link directly from address bar.

hagaram avatar Oct 14 '24 17:10 hagaram