[BUG] OpenID Token not refreshed about security-dashboards-plugin HOT 15 CLOSED

I replicated the issue locally and received the following error [error][plugins][securityDashboards] Failed to resolve user tenant: Error: Failed authentication: Authentication Exception and looks like this error is somehow related to multi-tenancy. I am re-opening this issue.

Edit: FYI there is a related issue with OpenID where on re-login it does not resume where the user last was. This is being addressed in this PR: #1563

from security-dashboards-plugin.

@mueller-tobias Yeah we have had to implement the same workaround for the time being. Thanks for your response.

Thank you @cwperks for doing the investigation on the regression here and opening this issue back up.

from security-dashboards-plugin.

Hi there! Thanks for the feedback regarding the "alternative solution" described in #1569

We're working on a PR and should be able to submit it today.

Then we probably need to follow up with integration tests. For this, I might need some assistance on how to configure the CI so that we can set up a short token expiration in a way that doesn't introduce unnecessary waiting for the token to expire.
Suggestions/ideas very welcome - I'll see what I can figure out in the meantime.

from security-dashboards-plugin.

@jochen-kressin FYI @sebastianmichalski had worked on adding OIDC tests in a different repo here that setup keycloak as part of the tests.

That PR is blocked in that repo since its on Cypress9 and full support for cross-origin testing was not added until Cypress12. The repo is being updated to Cypress12, but before the upgrade can happen all dashboards plugins need to ensure their tests run with Cypress12.

@RyanL1997 is working on adding the cypress tests into this repo directly so that it can be updated independently of other dashboards plugins. Maybe we can use the setup introduced by @sebastianmichalski?

from security-dashboards-plugin.

@cwperks Sorry for the late reply on this. So I compared the approach from dashboards-observability with a couple of other workflows I was able to find, including @RyanL1997's #1579

At the end of the day, in order to avoid duplicate work I think it makes sense that I pause the "GitHub-Workflow" side of the integration tests, and instead wait for Ryan's PR to be merged.
At least in the current state of his PR, he's already got Keycloak covered - and that's pretty much all that the integration test(s) for this OIDC regression would need (as long as the token lifespan is short, which it is by default: 60s).

Just ping me if you have any objections, otherwise I'll monitor the PR mentioned above and then submit the tests when it is done (or as a draft earlier perhaps).

from security-dashboards-plugin.

[Triage] Hi @TobiasMuellerES, please review this topic discussed on the OpenSearch forum.

from security-dashboards-plugin.

Hi @scrawfor99

thanks for you tipps. i had already reviewd the topic in the forum before i had open the bug. The access token lifetime in keycloak is already 6 minutes and i've added the ...refresh_token: true configuration to the opensearch_dashboards.yml without success.

from security-dashboards-plugin.

Same problem here.
Version 2.6.0 works fine, but 2.9.0 throws BadCredentialsException: The token has expired after 5 minutes.

What is your host/environment?

• OS: Kubernetes 1.26
• Version 2.9.0

opensearch_dashboards.yml:

opensearch.ssl.verificationMode: none
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.client_id: xxxxxxxxxx
opensearch_security.openid.client_secret: xxxxxxxxxx
opensearch_security.openid.base_redirect_url: https://xxxxxxxxxxxxxxxxxx
opensearch_security.openid.connect_url: https://xxxxxxxxx/realms/kubernetes/.well-known/openid-configuration
opensearch_security.openid.scope: openid profile email groups
opensearch_security.openid.verify_hostnames: true
opensearch_security.openid.refresh_tokens: true

from security-dashboards-plugin.

@mueller-tobias @wandersonlima Have either of you been able to find a solution for this issue? I too have added in the "refresh_tokens: true" line in opensearch-dashboards.yml and that does not fix the issue of an expireed OpenID access token with Keycloak 21.1.1. I have now witnessed this issue in Opensearch versions 2.7.0, 2.8.0, and 2.9.0. If you are still experiencing this issue, I feel this defect needs to be re-opened and addressed. I have also opened this in the Opensearch Community with the same response of the refresh_tokens solution - https://forum.opensearch.org/t/receiving-error-after-access-token-expires/15412

from security-dashboards-plugin.

@jpelletier412 The issue still persists. Our workaround was to increase the access token lifetime in keycloak for this specific openid client. We're currently evaluating if we we invest more time in opensearch or switch to another solution like grafana loki or back to an ELK stack.

from security-dashboards-plugin.

I believe there is a regression to the OIDC Refresh Token flow introduced in 2.7.0 that was introduced with the cookie splitting feature: #1352

See details in the description on here: #1569

from security-dashboards-plugin.

[Triage] This issue is currently being worked on by @jochen-kressin after discovering a regression in the cookie splitting logic. Going to mark as triaged since this has a clear path forward from Jochen.

from security-dashboards-plugin.

Hi again @cwperks,

so I've done some testing - @sebastianmichalski's script covers pretty much everything in terms of setting up Keycloak 👍

Regarding moving the integration tests to this repository - I'm not really sure where to put them.
I was looking in the main branch, but I can't find any Cypress tests there. The GitHub workflows seem to pull the testing repo and run the tests located there, e.g. https://github.com/opensearch-project/security-dashboards-plugin/blob/main/.github/workflows/cypress-test-tenancy-disabled.yml#L73

After looking around in @RyanL1997 repositories, it looks like you will add cypress/e2e/ to the plugin's root folder, but maybe you could point me in the right direction?

from security-dashboards-plugin.

@jochen-kressin It may be worthwhile to look at dashboards-observability.

They are one repo that I know of that has functional tests in their repo so that they don't have to wait for the function test repo to upgrade cypress.

from security-dashboards-plugin.

@jochen-kressin Sounds good to me. Thank you for working with @RyanL1997 on the setup of Cypress12/13 in this repo.

I'd be in favor of merging the fix for OIDC refresh tokens for 2.11 and add functional tests with Cypress12 soon thereafter.

@DarshitChanpura @peternied @scrawfor99 @RyanL1997 What do you think about merging #1580 after CI has been fixed reacting to the default admin pw change and following that PR with one afterwards with functional tests for the change when #1579 is complete?

from security-dashboards-plugin.