[chat] Integrate "On Behalf Of" Bearer Token usage with AG-UI authorization flow AG-UI

[epugh]

Description

Users need to make calls to OpenSearch using their current logged in identity via the Chat plugin.

The flow is OSD --> Chat --> OpenSearch Agent Server --> OpenSearch MCP Tools Service --> OpenSearch.

This specifically integrates the OBO token flow by requesting this secure token via:

OSD --> Chat --> Security Plugin OBO --> Chat --> OpenSearch Agent Server --> OpenSearch MCP Tools Service --> OpenSearch

Issues Resolved

n/a

Screenshot

n/a

Testing the changes

Set up a secure OpenSearch server and OpenSearch Dashboards. Configure Agent Server and MCP Tool Server and send tool chain through. The forwardCredentials is the key thing:

opensearch_dashboards.yml:

chat:
  enabled: true
  forwardCredentials: true
  agUiUrl: "http://localhost:8001/runs"

We did End 2 End testing using the Chorus reference implementation: o19s/chorus-opensearch-edition#175 to validate all the data flows.

Changelog

• skip

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[github-actions]

Persistent review updated to latest commit 599b878

[github-actions]

✅ All unit tests passing

🔗 Workflow run · commit 4ea08017df4a41c39c8fa2e3c11b7a51cfbd43f9

[mingshl]

The CI failures are not related to the code changes, @seraphjiang @SuZhou-Joe @cwperks would you review the new commit using OBO token?

[Hailong-am]

Another thing in my mind is we need to consider about multiple data source. With MDS, it supports different authentication method. It will not use the token for current login user instead of the credential for datasource.

1. Username & Password: A basic username and password are used to connect to the data source.
2. AWS SigV4: An AWS Signature Version 4 authenticating request is used to connect to the data source. AWS Signature Version 4 requires an access key and a secret key.

@cwperks will OBO support cross cluster which means OBO token issued at cluster A and it could use in cluster B?

[cwperks]

@cwperks will OBO support cross cluster which means OBO token issued at cluster A and it could use in cluster B?

If they share the same signing_key then yes. This is a symmetric key and used for both issuance and verification of the tokens.

[cwperks]

nit: can we use the endpoint /_plugins/_security/api/obo/token. Its the same endpoint, without all the verbiage of this and introduced in the same release (3.6.0)

[cwperks]

@mingshl the latest changes lgtm. Is there any way to e2e test this on the agent server side in an automated way?

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 4ea0801.

Path	Line	Severity	Description
src/plugins/chat/server/routes/index.ts	78	medium	OBO token (which carries user identity) is forwarded as an Authorization Bearer header to the external agUiUrl endpoint. If agUiUrl is misconfigured, compromised, or points to an untrusted server, user credentials will be exfiltrated. The risk is mitigated by defaulting forwardCredentials to false, but the attack surface exists for any deployment that enables the feature with an incorrectly configured URL.
src/plugins/chat/server/routes/index.ts	42	low	The generateOboToken function logs the full agUiUrl at INFO level upon every successful token generation. In environments where logs are aggregated (SIEM, cloud log services), this could leak internal service topology or assist an attacker in mapping trusted AG-UI endpoints that accept OBO tokens.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

Persistent review updated to latest commit 4ea0801

[mingshl]

@cwperks Thanks for the review! I added use /_plugins/_security/api/obo/token instead . @eric has a chorus open source dashboard that can allow you to test the new changes with E2E workflow. @epugh Let us know when it's ready to test. Thank you!!

[epugh]

I am going to go through https://docs.opensearch.org/latest/security/access-control/authentication-tokens/ and I might ping you on Friday @cwperks before my working session with @mingshl. Thanks team!

[cwperks]

I am going to go through https://docs.opensearch.org/latest/security/access-control/authentication-tokens/ and I might ping you on Friday @cwperks before my working session with @mingshl. Thanks team!

Works for me. FYI I am making slight alterations to those docs for 3.6: opensearch-project/documentation-website#12109

[mingshl]

We had an offline section that pull up this PR along with some new commits on security plugin and we can verify some test cases that the OBO token is working, Would you review and approve if no major concerns? We are hoping to get in the 3.6 release by EOD.

@cwperks @seraphjiang @kkhatua

[epugh]

THANKYOU SO MUCH!