-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] OpenID sessions re-authentication every 5 minutes #2114
Comments
Hello @JordanBarnartt, can you check this related issue: #1966, we fixed a bug around refresh tokens in 2.15. Also, could you provide your IDP settings to see if this could possibly be a mis-configuration on the IDP side of things? |
Thanks for your attention, @derek-ho. I double-checked that this was still occurring, and it is. I had since enabled dual authentication using basic internal auth and OIDC. I note that after the ~5 minutes is up, an OIDC user is kicked back to the log in screen. This is different from the behaviour when only OIDC auth is enabled, which would cause a reload but would leave the user signed in. We're using Duo as an IdP. Here are screenshots of the relevant settings: |
@JordanBarnartt Can you take a look here: https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/#opensearch-security-configuration? I think the issue might be that you have to swap the order of basic auth and openid authC domains in config.yml. |
Thanks for pointing that out, @derek-ho, I missed the part about the importance of the ordering. I switched things around, so now my authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: username
roles_key: roles
openid_connect_url: https://example.com/oidc/<client_id>/.well-known/openid-configuration
authentication_backend:
type: noop However, whenever I attempt to sign in using SSO, I get the response If, in my I tried disabling multiple auth in our Do you have any idea what the issue might be? |
@JordanBarnartt is your full opensearch_dashboards.yml shared here: #2114 (comment)? If so I think you might be missing |
That the entire YML file, but we're passing the rest of the arguments as environment variables. Here's what the Dashboards process looks like:
|
Can you try setting challenge to be false for the basic authc domain? |
Okay, that solved the "unauthorized" issue. My config.yml file is now: authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: username
roles_key: roles
openid_connect_url: https://example.com/oidc/<client_id>/.well-known/openid-configuration
authentication_backend:
type: noop However, we're back to the original issue, unfortunately. Every 5 minutes, regardless of activity, an OpenID user gets pushed back to the login screen. |
Hello @derek-ho . Same issue is happening to us using security-dashboard-plugin and opensearch-dashboards version 2.16.0 In our case, we are using Gitlab. We are getting disconnected every 2 minutes but only being in the "Dev Tools" screen, it is not happening for example in Discover page. It happens sometimes that page is refreshed but not disconnected. But 9/10 times we are getting disconnected. What is your host/environment? OS: Kubernetes / Gitlab Logs:
Thank you, let me know if you need a new Bug to be open. |
@JordanBarnartt Have you tried adding the "scope" in
offline_access - is needed for refreshing the token |
We had similar issues. We upgraded from 2.14 to 2.17 and still the issue was present with the re-authentication every 5 minutes. Adding the option |
What is the bug?
We have configured Opensearch and Opensearch Dashboards to use OpenID authentication through Duo. However, every 5 minutes (so it seems, right on the dot), the application "refreshes" itself, briefly redirects through OpenID authentication URLs, then returns back to the webpage. This refresh does not occur automatically, but rather when something in the UI is interacted with after the 5 minute timer has passed. This reload can result in lost work as the page loads to whatever it's default state is (ex. if I am creating an index template, the site will reload back into
/app/opensearch_index_management_dashboards
, losing any unsaved work). This occurs regardless of whether there was user activity in that 5 minute period.How can one reproduce the bug?
Steps to reproduce the behavior:
opensearch-security/config.yml
as follows:opensearch_dashboards.yml
as follows:What is the expected behavior?
Activity should "reset" the reauthentication timer. The amount of time before re-authentication should either be configurable or take from a setting provided by the IdP.
What is your host/environment?
Do you have any additional context?
This problems seems similar to those described in https://forum.opensearch.org/t/opensearch-dashboards-with-openid-auth-frequent-session-timeouts/15893, #71, and #1522. However, the various proposed solutions do not work for us.
My plan is to temporarily disable OIDC auth for Dashboards, but I am willing to perform any troubleshooting that may help solve the issue.
The text was updated successfully, but these errors were encountered: