[BUG] Missing background refresh of OIDC access_token

[MMerzinger]

Describe the bug

The opensearch-dashboards app does not use the OIDC refresh token, despite having refresh_tokens: true in the config.

This leads to a full page refresh every 5mins (as our access_token has a 5min ttl). In the browser log we can see that a redirect to Keycloak happens (login via Kerberos) and a new access_token is issued.

To Reproduce Steps to reproduce the behavior:

1. Configure Keycloak as identity provider (https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
2. Configure opensearch with OIDC

      config.yml: |
         _meta:
           type: "config"
           config_version: 2
         config:
           dynamic:
             authc:
               basic_internal_auth_domain:
                 http_enabled: true
                 transport_enabled: true
                 order: 1
                 http_authenticator:
                   type: basic
                   challenge: false
                 authentication_backend:
                   type: intern
               openid_auth_domain:
                 http_enabled: true
                 transport_enabled: true
                 order: 0
                 http_authenticator:
                   type: openid
                   challenge: false
                   config:
                     openid_connect_idp:
                       enable_ssl: true
                       verify_hostnames: true
                       skip_users:
                         - <REMOVED>
                     subject_key: preferred_username
                     roles_key: roles
                     openid_connect_url: https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/.well-known/openid-configuration

3. Configure opensearch-dashboards with OIDC and token_refresh: true

   opensearch_dashboards.yml:
   
     logging.verbose: true
   
     server.host: "0.0.0.0"
   
     opensearch.hosts: ["https://opensearch-cluster-master:9200"]
     opensearch.ssl.verificationMode: none # Disabled for testing
     opensearch.ssl.certificateAuthorities: [ "/path/to/our/cert/tls.crt" ]
     opensearch.username: "<REMOVED>"
     opensearch.password: "<REMOVED>"
     opensearch.requestHeadersWhitelist: [ "Authorization", "security_tenant", "securitytenant" ]
   
     opensearch_security.multitenancy.enabled: true
     opensearch_security.multitenancy.tenants.preferred: ["SHARED"]
     opensearch_security.multitenancy.tenants.enable_private: false
     opensearch_security.multitenancy.tenants.enable_global: false
     opensearch_security.readonly_mode.roles: ["kibana_read_only"]
     opensearch_security.cookie.secure: false
     opensearch_security.auth.type: "openid"
     opensearch_security.openid.refresh_tokens: true
     opensearch_security.openid.connect_url: "https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/.well-known/openid-configuration"      
     opensearch_security.openid.client_id: "opensearch"
     opensearch_security.openid.client_secret: "<REMOVED>"
     opensearch_security.openid.base_redirect_url: "https://<OPENSEARCH_HOST>"
     opensearch_security.openid.verify_hostnames: "false" # Disabled for testing
     opensearch_security.openid.scope: "openid"
     opensearch_security.openid.logout_url: "https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/protocol/openid-connect/logout"
     opensearch_security.openid.extra_storage.cookie_prefix: "security_authentication_oidc"
     opensearch_security.openid.extra_storage.additional_cookies: 10 # Usually around 3 cookies, some power users need more

4. Make sure your access_token is issued with a ttl of about 5mins
5. Login to opensearch-dashboards
6. Go to discover and query any of the available index patterns. Wait here 5 mins.
7. Open the Network Tab of the Browser Developer Tools
8. Click on refresh (not the browser refresh -> use the refresh button of the opensearch-dashboards app)
9. Observe that the API returns a 401 and a redirect to Keycloak

Expected behavior The opensearch-dashboards app uses the refresh token in the background to request a new access_token (and no redirect to Keycloak).

OpenSearch Version 2.13.0

Dashboards Version 2.13.0

Plugins

All plugins installed by default (see https://opensearch.org/docs/latest/install-and-configure/plugins/#bundled-plugins).

We rely mainly on the opensearch-security, opensearch-index-management and notifications plugin.

Screenshots

Host/Environment (please complete the following information):

• OS: Containers from DockerHub (Amazon Linux 2023.4.20240401) with the tag 2.13.0, deployed on Kubernetes (GKE) v1.27.8-gke.1500 using the helm chart 2.19 (opensearch) and 2.17 (opensearch-dashboards)
• Browser: Chrome 124.0.6367.119

Additional context

Related issues

• https://forum.opensearch.org/t/opensearch-dashboards-can-not-auto-refresh-access-token/14949
• https://github.com/opensearch-project/security-dashboards-plugin/issues/1522

We had to increase our access_token ttl as an intermediate solution, as described in the issue 1522.

[kavilla]

@opensearch-project/admin @opensearch-project/triage could we move this to the secuirty dashboards plugin repo.

[jpelletier412]

We are experiencing the same issue with the same setup - Opensearch 2.13.0, Opensearch-Dashboards 2.13.0, using Keycloak as our Oauth provider.

[scrawfor99]

[Triage] Hi @MMerzinger thank you for filing this issue. I think this is the result of some changes recently made by @derek-ho around handling of the refresh tokens. Derek could you share whether this is intended etc.?

[Jakob3xD]

With Opensearch 2.15 it seems to be fixed. At least for me.

[derek-ho]

Thanks @Jakob3xD for confirming! Yes @cwperks and @Alankarsharma merged in a fix for this in 2.15. After upgrade this problem should go away. Closing