-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Dashboards permalink and iframe losses url param JWT on internal API calls #1621
Comments
Hi @dbanshee @opensearch-project/admin Could you please help transfer this to Dashboards security team to look into? |
[Triage] @dbanshee Thank you for filing this issue and providing an example configuration. @RyanL1997 Can you confirm if you can reproduce the issue from the description? |
For the case without the iframe, I wasn't able to create the issue. I will go thru provided configuration again, but what I have found that:
The expiration on this doesn't seem correct. |
Hi again. I'll provide another example. Hope it helps. Video showing infinite loop on browser Dashboard link generated by Open-dashboards (added manually
Full opensearch config file:
Full opensearch security config file:
Full opensearch-dashboards config file:
Full tcpdump when access the permalink on chrome (captured on 5601 port) |
Hey @RyanL1997 can you follow-up on this again? Thanks. |
Hi @dbanshee thanks for the details. After some investigation, I still couldn't reproduce the loop on my local, however, I do have trouble to access to permlink of dashboard with jwt param added: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} I'm actively looking into it and I will update my setup in the next comment. |
Thanks @RyanL1997 let me know if you need anything. |
Hi @dbanshee, were you able to address this issue or did you work with @RyanL1997 to? If not, we will need to revisit this. |
Hello @scrawfor99. I still have the problem. All I know is what is in this thread. |
[Triage] Thanks for following up @dbanshee. Going to mark this bug as triaged so that someone takes a look. |
@dbanshee I was able to replicate your issue and see now that its due to the JWT being too large. If its possible to reduce the size of the token, that could help get you immediately beyond this issue, but a longer term fix could be to extend #1352 to the JWT backend as well. I made a POC on a branch here which resolves the issue, but need to add tests to verify the behavior. |
thank you @cwperks |
Closing this ticket as resolved. Cookie splitting was extended to JWT authentication. |
Thanks for all @cwperks |
Describe the bug
Dashboards permalink and iframe losses url param JWT on internal API calls.
After configure Opensearch and OS-Dashboards to use url param JWT and check by curl that works sucessfully, I tried to open dashboards permalink and iframe generated by opensearch.
The browser enters on infinite loop (if the token JWT has expired, directly returns Unathorized as expected).
No browser debug or opensearch dashboards appears to be relevant but capturing traffic on 5601 port I can check how the url_param jwt are lossed on internal API calls (restapiinfo, configuration accoung api, …) returning HTTP 401 Unathorized
I replicated with curl the same calls and adding url_param with the same token and the request works.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected to show de dashboards successfully, but browser enters on infinite loop.
OpenSearch Version
2.10.0
Also tested on 2.8.0
Dashboards Version
2.10.0
Also tested on 2.8.0
Plugins
Please list all plugins currently enabled
Host/Environment (please complete the following information):
Additional context
Configuration:
Opensearch Dashboards Config:
Manual curl to test internal APIS (adding jwtToken url param) works successfuly:
Accesing permalink with url_param and capturing network traffic. Internal calls loss url params and fails to Authenticate:
The text was updated successfully, but these errors were encountered: