OpenID Connect

• Automatic configuration

  Point the security plugin to the metadata of your identity provider (IdP), and the security plugin uses that data for configuration.

• Automatic key fetching

  The security plugin automatically retrieves the public key for validating the JSON web tokens (JWTs) from the JSON web key set (JWKS) endpoint of your IdP. You don’t have to configure keys or shared secrets in .

• Key rollover

  You can change the keys used for signing the JWTs directly in your IdP. If the security plugin detects an unknown key, it tries to retrieve it from the IdP. This rollover is transparent to the user.

• OpenSearch Dashboards single sign-on

To integrate with an OpenID IdP, set up an authentication domain and choose openid as the HTTP authentication type. JSON web tokens already contain all required information to verify the request, so set challenge to false and authentication_backend to noop.

This is the minimal configuration:

The following table shows the configuration parameters.

OpenID Connect URL

OpenID Connect specifies various endpoints for integration purposes. The most important endpoint is well-known, which lists endpoints and other configuration options for the security plugin.

The URL differs between IdPs, but usually ends in /.well-known/openid-configuration.

http(s)://<server>:<port>/auth/realms/<realm>/.well-known/openid-configuration

The main information that the security plugin needs is jwks_uri. This URI specifies where the IdP’s public keys in JWKS format can be found. For example:

jwks_uri: "https://keycloak.example.com:8080/auth/realms/master/protocol/openid-connect/certs"

{
   keys:[
      {
         kid:"V-diposfUJIk5jDBFi_QRouiVinG5PowskcSWy5EuCo",
         kty:"RSA",
         alg:"RS256",
         use:"sig",
         n:"rI8aUrAcI_auAdF10KUopDOmEFa4qlUUaNoTER90XXWADtKne6VsYoD3ZnHGFXvPkRAQLM5d65ScBzWungcbLwZGWtWf5T2NzQj0wDyquMRwwIAsFDFtAZWkXRfXeXrFY0irYUS9rIJDafyMRvBbSz1FwWG7RTQkILkwiC4B8W1KdS5d9EZ8JPhrXvPMvW509g0GhLlkBSbPBeRSUlAS2Kk6nY5i3m6fi1H9CP3Y_X-TzOjOTsxQA_1pdP5uubXPUh5YfJihXcgewO9XXiqGDuQn6wZ3hrF6HTlhNWGcSyQPKh1gEcmXWQlRENZMvYET-BuJEE7eKyM5vRhjNoYR3w",
         e:"AQAB"
      }
   ]

For more information about IdP endpoints, see the following:

• Keycloak
• Connect2ID
• IBM OpenID Connect

When an IdP generates and signs a JSON web token, it must add the ID of the key to the JWT header. For example:

As per the , the kid (key ID) is mandatory. Token verification does not work if an IdP fails to add the kid field to the JWT.

If the security plugin receives a JWT with an unknown kid, it visits the IdP’s jwks_uri and retrieves all available, valid keys. These keys are used and cached until a refresh is triggered by retrieving another unknown key ID.

Key rollover and multiple public keys

The security plugin can maintain multiple valid public keys at once. The OpenID specification does not allow for a validity period of public keys, so a key is valid until it has been removed from the list of valid keys in your IdP and the list of valid keys has been refreshed.

If you want to roll over a key in your IdP, follow these best practices:

• Create a new key pair in your IdP, and give the new key a higher priority than the currently used key.

  Your IdP uses this new key over the old key.

• Upon first appearance of the new kid in a JWT, the security plugin refreshes the key list.

  At this point, both the old key and the new key are valid. Tokens signed with the old key are also still valid.

• The old key can be removed from your IdP when the last JWT signed with this key has timed out.

To prevent man-in-the-middle attacks, you should secure the connection between the security plugin and your IdP with TLS.

Use the following parameters to enable TLS for connecting to your IdP:

config:
  openid_connect_idp:
    enable_ssl: <true|false>
    verify_hostnames: <true|false>

Certificate validation

To validate the TLS certificate of your IdP, configure either the path to the IdP’s root CA or the root certificate’s content:

config:
  openid_connect_idp:
    enable_ssl: true
    pemtrustedcas_filepath: /full/path/to/trusted_cas.pem

config:
  openid_connect_idp:
    enable_ssl: true
    pemtrustedcas_content: |-
      MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjzETMBEGCgmSJomT8ixk
      ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w
      bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh
      ...

To use TLS client authentication, configure the PEM certificate and private key the security plugin should send for TLS client authentication (or its content):

config:
  openid_connect_idp:
    enable_ssl: true
    pemkey_content: |-
      MIID2jCCAsKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBlTETMBEGCgmSJomT8ixk
      ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w
      bGUgQ29tIEluYy4xJDAiBgNVBAsMG0V4YW1wbGUgQ29tIEluYy4gU2lnbmluZyBD
    pemkey_password: private_key_password
    pemcert_content: |-
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCHRZwzwGlP2FvL
      oEzNeDu2XnOF+ram7rWPT6fxI+JJr3SDz1mSzixTeHq82P5A7RLdMULfQFMfQPfr
      WXgB4qfisuDSt+CPocZRfUqqhGlMG2l8LgJMr58tn0AHvauvNTeiGlyXy0ShxHbD
    ...

Enabled ciphers and protocols

You can limit the allowed ciphers and TLS protocols by using the following keys.

(Advanced) DoS protection

To help protect against denial-of-service (DoS) attacks, the security plugin only allows a maximum number of new key IDs in a certain span of time. If the number of new key IDs exceeds this threshold, the security plugin returns HTTP status code 503 (Service Unavailable) and refuses to query the IdP. By default, the security plugin does not allow for more than 10 unknown key IDs within 10 seconds. The following table shows how to modify these settings.

Activate OpenID Connect by adding the following to opensearch_dashboards.yml:

OpenID Connect providers usually publish their configuration in JSON format under the metadata url. Therefore, most settings can be pulled in automatically, so the OpenSearch Dashboards configuration becomes minimal. The most important settings are the following:

• Connect URL

• Client ID

  Every IdP can host multiple clients (sometimes called applications) with different settings and authentication protocols. When enabling OpenID Connect, you should create a new client for OpenSearch Dashboards in your IdP. The client ID uniquely identifies OpenSearch Dashboards.

• Client secret

  Beyond the ID, each client also has a client secret assigned. The client secret is usually generated when the client is created. Applications can obtain an identity token only when they provide a client secret. You can find this secret in the settings of the client on your IdP.

Configuration parameters

# Enable OpenID authentication
opensearch_security.auth.type: "openid"
# The IdP metadata endpoint
opensearch_security.openid.connect_url: "http://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration"
# The ID of the OpenID Connect client in your IdP
opensearch_security.openid.client_id: "opensearch-dashboards-sso"
# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: "a59c51f5-f052-4740-a3b0-e14ba355b520"
# Use HTTPS instead of HTTP
opensearch.url: "https://<hostname>.com:<http port>"
# Configure the OpenSearch Dashboards internal server user
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
# Disable SSL verification when using self-signed demo certificates
opensearch.ssl.verificationMode: none
opensearch.requestHeadersAllowlist: ["Authorization", "security_tenant"]

OpenSearch security configuration

Modify and apply the following example settings in :