search

opensearch-project / security-dashboards-plugin

🔐 Manage your internal users, roles, access control, and audit logs from OpenSearch Dashboards
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
70 stars 152 forks source link

[BUG] OpenID redirects to "/" after upgrading opensearch to 2.12.0 #1897

Closed RobinAdvens closed 4 months ago

RobinAdvens commented 5 months ago

Describe the bug Since I upgraded from 2.11.1 to 2.12.0, I encounter a bug in redirection with openID (keycloak) at the end of authentification process.

Fom https://myUrl.com/clusterName/app/login I click on log in with single sign-on which redirect to https://myUrl.com/clusterName/auth/openid/captureUrlFragment?nextUrl=%2F then at the end of the authentication I'm redirected to https://myUrl.com/ instead of https://myUrl.com/clusterName/

I don't have issue if I tried to connect from an other path, for example if I tried to connect to https://myUrl.com/clusterName/app/home, I'll be redirected to https://myUrl.com/clusterName/app/login?nextUrl=%2FclusterName%2Fapp%2Fhome and then my url for ipd is https://myUrl.com/clusterName/auth/openid/captureUrlFragment?nextUrl=%2FclusterName%2Fapp%2Fhome

When I was in 2.11.1, opensearch was giving me https://myUrl.com/clusterName/auth/openid/login url for keycloack and everything was working perfectly.

I'm using opensearch with opensearch operator on kubernetes.

OpenSearch Version OpenSearch and OpenSearch-dashboard are both in 2.12.0 and 2.13.0 opensearch-operator is in 2.4.0

Additional context Par of my dashboards-config :

opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.cookie.secure: true
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.openid.base_redirect_url: https://myUrl.com/clusterName/
opensearch_security.openid.client_id: ops-clusterName
opensearch_security.openid.connect_url: https://idp.myUrl.com/realms/broker/.well-known/openid-configuration
opensearch_security.openid.header: Authorization
opensearch_security.openid.refresh_tokens: true
opensearch_security.openid.scope: openid profile email
opensearch_security.session.keepalive: true
server.basePath: /clusterName
server.name: clusterName-dashboards
server.rewriteBasePath: true
uranru commented 5 months ago

I have a similar problem with version 2.13

ananzh commented 5 months ago

The redirection error suggests that the application might be ignoring or incorrectly processing the basePath or base_redirect_url after authentication. I don't think we update anything for basePath. For opensearch_security.openid.base_redirect_url, this is to ensure that after authentication, the user is redirected back to the right base URL, which includes the cluster name.

ananzh commented 5 months ago

@opensearch-project/admin could you help us to redirect it to the security team?

cwperks commented 5 months ago

Looks like a regression introduced by https://github.com/opensearch-project/security-dashboards-plugin/pull/1563

Taking a look. Also related: https://github.com/opensearch-project/security-dashboards-plugin/issues/1823

stephen-crawford commented 5 months ago

[Triage] Hi @RobinAdvens thank you for filing this issue. Looks like #1899 will resolve this issue. We can close this when that PR is merged.

derek-ho commented 4 months ago

https://github.com/opensearch-project/security-dashboards-plugin/pull/1899 was merged