manasvinibs
commented
8 months ago Can you provide more details on the configuration? Routing to security Dashboards to look. @opensearch-project/admin Can you route this to Dashboards security plugin?
Open dhumphries-sainsburys opened 8 months ago
manasvinibs
commented
8 months ago Can you provide more details on the configuration? Routing to security Dashboards to look. @opensearch-project/admin Can you route this to Dashboards security plugin?
dhumphries-sainsburys
commented
8 months ago I believe this is likely to be the relevant part of the config. We install via the helm chart approach in case that matters
opensearch_dashboards.yml: |
opensearch.hosts: [https://opensearch-cluster-client:9200]
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_dashboards]
opensearch_security.cookie.secure: true
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://dex.${env}.${infra_domain}/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearch"
opensearch_security.openid.client_secret: "${opensearch_client_secret}"
opensearch_security.openid.base_redirect_url: "https://logs.${env}.${infra_domain}"
opensearch_security.openid.scope: "openid email profile groups offline_access"
server.host: '0.0.0.0'
cwperks
commented
7 months ago [Triage] @dhumphries-sainsburys Thank you for filing this issue and providing your configuration.
There was a PR that went into 2.12 that is related to nextUrl for openid that should resolve the issue, but I see that you are using 2.12.
Could you post the network calls on login during the issue? You can contact maintainers on the OpenSearch Slack with details.
ubcharron
commented
7 months ago I have the same problem on 2.12. I think "redirectHash" is getting dropped during the redirect to the IDP.
In the call to /auth/openid/login?nextUrl=%2Fosd%2Fapp%2Fdata-explorer%2Fdiscover&redirectHash=true, I noticed that the returned cookie has redirectHash set to false
{ oidc:
{ state: '...',
nextUrl: '...',
redirectHash: false },
authType: 'openid' }Then once the IDP redirects the browser to /login?code=whatever, I don't see /auth/openid/redirectUrlFragment ever getting called after.
Doesn't schema.boolean() at routes.ts#L102 convert the string to an actual boolean, so the strict equality test at routes.ts#L138 always fails ?
fbegyn
commented
7 months ago I can confirm that this bug occurs in 2.12.0 and 2.13.0, it essentially breaks login flow for deploying the dashboard on a subpath since after logging the user end up on / (which in my case has nothing running).
dhumphries-sainsburys
commented
4 months ago I can confirm this bug continues to still be present in 2.15.0 .
ahmadabulaban
commented
3 months ago This bug still exists on 2.15.0
dhumphries-sainsburys
commented
1 day ago Still around on 2.17.1 just in case anyone stumbles across this issue and has hope
Describe the bug
When a user is forced through auth redirects either for initial login or reauth after timeout the query they were navigating to or previously loaded is lost and they are directed back to the homepage of dashboards
To Reproduce Steps to reproduce the behavior:
Expected behavior It load whatever you were on before the redirect took effect
OpenSearch Version 2.12
Dashboards Version 2.12
Plugins
Inbuilt Security One https://github.com/Aiven-Open/prometheus-exporter-plugin-for-opensearch