Closed MMerzinger closed 3 days ago
@opensearch-project/admin @opensearch-project/triage could we move this to the secuirty dashboards plugin repo.
We are experiencing the same issue with the same setup - Opensearch 2.13.0, Opensearch-Dashboards 2.13.0, using Keycloak as our Oauth provider.
[Triage] Hi @MMerzinger thank you for filing this issue. I think this is the result of some changes recently made by @derek-ho around handling of the refresh tokens. Derek could you share whether this is intended etc.?
With Opensearch 2.15 it seems to be fixed. At least for me.
Thanks @Jakob3xD for confirming! Yes @cwperks and @Alankarsharma merged in a fix for this in 2.15. After upgrade this problem should go away. Closing
Describe the bug
The opensearch-dashboards app does not use the OIDC refresh token, despite having
refresh_tokens: true
in the config.This leads to a full page refresh every 5mins (as our access_token has a 5min ttl). In the browser log we can see that a redirect to Keycloak happens (login via Kerberos) and a new access_token is issued.
To Reproduce Steps to reproduce the behavior:
Configure opensearch-dashboards with OIDC and token_refresh: true
Expected behavior The opensearch-dashboards app uses the refresh token in the background to request a new access_token (and no redirect to Keycloak).
OpenSearch Version 2.13.0
Dashboards Version 2.13.0
Plugins
All plugins installed by default (see https://opensearch.org/docs/latest/install-and-configure/plugins/#bundled-plugins).
We rely mainly on the opensearch-security, opensearch-index-management and notifications plugin.
Screenshots
Host/Environment (please complete the following information):
Additional context
Related issues
We had to increase our access_token ttl as an intermediate solution, as described in the issue 1522.