Comments (15)
I replicated the issue locally and received the following error [error][plugins][securityDashboards] Failed to resolve user tenant: Error: Failed authentication: Authentication Exception
and looks like this error is somehow related to multi-tenancy. I am re-opening this issue.
Edit: FYI there is a related issue with OpenID where on re-login it does not resume where the user last was. This is being addressed in this PR: #1563
from security-dashboards-plugin.
@mueller-tobias Yeah we have had to implement the same workaround for the time being. Thanks for your response.
Thank you @cwperks for doing the investigation on the regression here and opening this issue back up.
from security-dashboards-plugin.
Hi there! Thanks for the feedback regarding the "alternative solution" described in #1569
We're working on a PR and should be able to submit it today.
Then we probably need to follow up with integration tests. For this, I might need some assistance on how to configure the CI so that we can set up a short token expiration in a way that doesn't introduce unnecessary waiting for the token to expire.
Suggestions/ideas very welcome - I'll see what I can figure out in the meantime.
from security-dashboards-plugin.
@jochen-kressin FYI @sebastianmichalski had worked on adding OIDC tests in a different repo here that setup keycloak as part of the tests.
That PR is blocked in that repo since its on Cypress9 and full support for cross-origin testing was not added until Cypress12. The repo is being updated to Cypress12, but before the upgrade can happen all dashboards plugins need to ensure their tests run with Cypress12.
@RyanL1997 is working on adding the cypress tests into this repo directly so that it can be updated independently of other dashboards plugins. Maybe we can use the setup introduced by @sebastianmichalski?
from security-dashboards-plugin.
@cwperks Sorry for the late reply on this. So I compared the approach from dashboards-observability with a couple of other workflows I was able to find, including @RyanL1997's #1579
At the end of the day, in order to avoid duplicate work I think it makes sense that I pause the "GitHub-Workflow" side of the integration tests, and instead wait for Ryan's PR to be merged.
At least in the current state of his PR, he's already got Keycloak covered - and that's pretty much all that the integration test(s) for this OIDC regression would need (as long as the token lifespan is short, which it is by default: 60s).
Just ping me if you have any objections, otherwise I'll monitor the PR mentioned above and then submit the tests when it is done (or as a draft earlier perhaps).
from security-dashboards-plugin.
[Triage] Hi @TobiasMuellerES, please review this topic discussed on the OpenSearch forum.
from security-dashboards-plugin.
Hi @scrawfor99
thanks for you tipps. i had already reviewd the topic in the forum before i had open the bug. The access token lifetime in keycloak is already 6 minutes and i've added the ...refresh_token: true
configuration to the opensearch_dashboards.yml
without success.
from security-dashboards-plugin.
Same problem here.
Version 2.6.0 works fine, but 2.9.0 throws BadCredentialsException: The token has expired
after 5 minutes.
What is your host/environment?
- OS: Kubernetes 1.26
- Version 2.9.0
opensearch_dashboards.yml:
opensearch.ssl.verificationMode: none
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.client_id: xxxxxxxxxx
opensearch_security.openid.client_secret: xxxxxxxxxx
opensearch_security.openid.base_redirect_url: https://xxxxxxxxxxxxxxxxxx
opensearch_security.openid.connect_url: https://xxxxxxxxx/realms/kubernetes/.well-known/openid-configuration
opensearch_security.openid.scope: openid profile email groups
opensearch_security.openid.verify_hostnames: true
opensearch_security.openid.refresh_tokens: true
from security-dashboards-plugin.
@mueller-tobias @wandersonlima Have either of you been able to find a solution for this issue? I too have added in the "refresh_tokens: true" line in opensearch-dashboards.yml and that does not fix the issue of an expireed OpenID access token with Keycloak 21.1.1. I have now witnessed this issue in Opensearch versions 2.7.0, 2.8.0, and 2.9.0. If you are still experiencing this issue, I feel this defect needs to be re-opened and addressed. I have also opened this in the Opensearch Community with the same response of the refresh_tokens solution - https://forum.opensearch.org/t/receiving-error-after-access-token-expires/15412
from security-dashboards-plugin.
@jpelletier412 The issue still persists. Our workaround was to increase the access token lifetime in keycloak for this specific openid client. We're currently evaluating if we we invest more time in opensearch or switch to another solution like grafana loki or back to an ELK stack.
from security-dashboards-plugin.
I believe there is a regression to the OIDC Refresh Token flow introduced in 2.7.0 that was introduced with the cookie splitting feature: #1352
See details in the description on here: #1569
from security-dashboards-plugin.
[Triage] This issue is currently being worked on by @jochen-kressin after discovering a regression in the cookie splitting logic. Going to mark as triaged since this has a clear path forward from Jochen.
from security-dashboards-plugin.
Hi again @cwperks,
so I've done some testing - @sebastianmichalski's script covers pretty much everything in terms of setting up Keycloak 👍
Regarding moving the integration tests to this repository - I'm not really sure where to put them.
I was looking in the main branch, but I can't find any Cypress tests there. The GitHub workflows seem to pull the testing repo and run the tests located there, e.g. https://github.com/opensearch-project/security-dashboards-plugin/blob/main/.github/workflows/cypress-test-tenancy-disabled.yml#L73
After looking around in @RyanL1997 repositories, it looks like you will add cypress/e2e/
to the plugin's root folder, but maybe you could point me in the right direction?
from security-dashboards-plugin.
@jochen-kressin It may be worthwhile to look at dashboards-observability
.
They are one repo that I know of that has functional tests in their repo so that they don't have to wait for the function test repo to upgrade cypress.
from security-dashboards-plugin.
@jochen-kressin Sounds good to me. Thank you for working with @RyanL1997 on the setup of Cypress12/13 in this repo.
I'd be in favor of merging the fix for OIDC refresh tokens for 2.11 and add functional tests with Cypress12 soon thereafter.
@DarshitChanpura @peternied @scrawfor99 @RyanL1997 What do you think about merging #1580 after CI has been fixed reacting to the default admin pw change and following that PR with one afterwards with functional tests for the change when #1579 is complete?
from security-dashboards-plugin.
Related Issues (20)
- [RELEASE] Release version 2.15.0 HOT 2
- [AUTOCUT] Integration Test failed for securityDashboards: 2.15.0 HOT 9
- [RELEASE] Release version 2.16.0 HOT 2
- [Enhancement] Remove service account code in main HOT 2
- [FEATURE] Deprecate/remove aggregation view HOT 1
- [FEATURE] Support JDK 21 for main branch HOT 1
- [BUG] Remove AOSS data sources from the data source picker HOT 1
- [AUTOCUT] Integration Test failed for securityDashboards: 2.15.0 HOT 6
- [BUG] Missing OIDC refresh token calls in case of expired id token HOT 1
- [RELEASE] Release version 2.15.0 HOT 2
- [BUG] Tenant is defaulting incorrectly based on the ordering of: opensearch_security.multitenancy.tenants.preferred HOT 4
- [FEATURE] Security Plugin Navigation Changes HOT 1
- [BUG] Session expiration and keepalive settings ignored HOT 2
- [BUG] Missing background refresh of OIDC access_token (for /app/dashboards) HOT 1
- [AUTOCUT] Integration Test failed for securityDashboards: 1.3.18 HOT 2
- [AUTOCUT] Distribution Build Failed for securityDashboards-2.16.0 HOT 2
- [BUG] Build.sh script failure HOT 2
- Read-only user doesn't see Discover menu HOT 4
- [BUG] Creating index_pattern via API/Curl for global tenant doesn't work HOT 3
- [FEATURE] Create a E2E for OIDC IdP behind a proxy HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-dashboards-plugin.