[BUG] OpenID sessions re-authentication every 5 minutes

[JordanBarnartt]

What is the bug? We have configured Opensearch and Opensearch Dashboards to use OpenID authentication through Duo. However, every 5 minutes (so it seems, right on the dot), the application "refreshes" itself, briefly redirects through OpenID authentication URLs, then returns back to the webpage. This refresh does not occur automatically, but rather when something in the UI is interacted with after the 5 minute timer has passed. This reload can result in lost work as the page loads to whatever it's default state is (ex. if I am creating an index template, the site will reload back into /app/opensearch_index_management_dashboards, losing any unsaved work). This occurs regardless of whether there was user activity in that 5 minute period.

How can one reproduce the bug? Steps to reproduce the behavior:

1. Configure opensearch-security/config.yml as follows:

    authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: username
            roles_key: roles
            openid_connect_url: <our url>
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal

2. Configure opensearch_dashboards.yml as follows:

server.host: "0.0.0.0"

opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: <our url>
opensearch_security.openid.client_id: <our client ID>
opensearch_security.openid.client_secret: <our secret>
opensearch_security.openid.base_redirect_url: <our redirect url>

# I added these four settings as part of troubleshooting the issue.  They did not have any effect.
opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true
opensearch_security.openid.refresh_tokens: true
### 

opensearch.ssl.verificationMode: none

What is the expected behavior? Activity should "reset" the reauthentication timer. The amount of time before re-authentication should either be configurable or take from a setting provided by the IdP.

What is your host/environment?

• OS: Opensearch running on Ubuntu 20.04, Opensearch Dashboards run via Docker using opensearchproject/opensearch-dashboards image.
• Version 2.16.0
• Plugins: Only those included as part of the default configuration.

Do you have any additional context? This problems seems similar to those described in https://forum.opensearch.org/t/opensearch-dashboards-with-openid-auth-frequent-session-timeouts/15893, https://github.com/opensearch-project/security-dashboards-plugin/issues/71, and https://github.com/opensearch-project/security-dashboards-plugin/issues/1522. However, the various proposed solutions do not work for us.

My plan is to temporarily disable OIDC auth for Dashboards, but I am willing to perform any troubleshooting that may help solve the issue.