opensearch dashboards not working with jwt token in url

[vinaykumar4s]

opensearch dashboards not working with jwt token in url

I am trying to access opensearch dashboards through jwt in url param and its not working

To Reproduce
Steps to reproduce the behavior:
setup opensearch-1.1.0 and opensearch-dashboards-1.1.0 using tarball installtion
https://opensearch.org/docs/latest/opensearch/install/tar/

opensearch.yml

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

• CN=kirk,OU=client,O=client,L=test, C=de

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-", ".opendistro-notifications-", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

discovery.type: single-node

opensearch-dashboards.yml
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "admin"
opensearch.password: "admin"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant,Authorization ]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]

Use this setting if you are running kibana without https

#opensearch_security.cookie.secure: true

Use this setting on https

#opensearch_security.cookie.isSameSite: "None"

server.host: "0.0.0.0"
server.port: 5601

opensearch_security.auth.type: "jwt"

security config.. config.yml

basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false #set to false if your running muliple auth enable. lke SAML and BasicAuth otherwise set to true
authentication_backend:
type: intern

jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "somekey"
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: roles
subject_key: sub
authentication_backend:
type: noop

Expected behavior
opensearch-dashboards should accept the jwt token in url and authenticate user

OpenSearch Version
opensearch-1.1.0.

Dashboards Version
opensearch-dashboards-1.1.0

Plugins
opensearch-alerting 1.1.0.0
opensearch-anomaly-detection 1.1.0.0
opensearch-asynchronous-search 1.1.0.0
opensearch-cross-cluster-replication 1.1.0.0
opensearch-index-management 1.1.0.0
opensearch-job-scheduler 1.1.0.0
opensearch-knn 1.1.0.0
opensearch-notebooks 1.1.0.0
opensearch-performance-analyzer 1.1.0.0
opensearch-reports-scheduler 1.1.0.0
opensearch-security 1.1.0.0
opensearch-sql 1.1.0.0

Screenshots
when i access dashboards via https://host:5601/authorization=tokenhere on browser i am getting 404. i tried using curl still same error

curl output

Host/Environment (please complete the following information):

• OS: [ NAME="CentOS Linux"
  VERSION="7 (Core)"
  ID="centos"
  ID_LIKE="rhel fedora"
  VERSION_ID="7"
  PRETTY_NAME="CentOS Linux 7 (Core)"
  ANSI_COLOR="0;31"
  CPE_NAME="cpe:/o:centos:centos:7"
  HOME_URL="https://www.centos.org/"
  BUG_REPORT_URL="https://bugs.centos.org/"
  CENTOS_MANTISBT_PROJECT="CentOS-7"
  CENTOS_MANTISBT_PROJECT_VERSION="7"
  REDHAT_SUPPORT_PRODUCT="centos"
  REDHAT_SUPPORT_PRODUCT_VERSION="7" ]
• Browser and version [
  
  

]

Additional context

its working with opensearch. Means if do curl against opensearch and set header Bearer token its working. Not only that if i do curl to opensearch-dashboard using bearer token in header i am getting success response. below is the screenshot

and also documentation is not upt to date for configuring jwt. if you specify enabled: true on configuration its not working and throwing error saying invalid value
https://opensearch.org/docs/latest/security-plugin/configuration/configuration/#json-web-token

[vinaykumar4s]

i tried same scenario with opendistro latest version and i had same issue. Then i have added opendistro_security.jwt.url_param: authorization in kibana.yml and its worked. i tried same property in opensearch-dashboard.yml but its failed with validation error. looks like opendistro_security.jwt.url_param: authorization property is not acceptable in opensearch-dashboard.yml .

[kavilla]

Hello @vinaykumar4s, thanks for opening this. Will reroute to Security plugin to take.

[oliryde]

when i access dashboards via https://host:5601/authorization=tokenhere on browser i am getting 404. i tried

To include the token as a parameter you will need to prefix ? making it look like this:

https://host:5601/?authorization=tokenhere

That would at least explain how your request could result in a 404.

[ohuseyinoglu]

opensearch dashboards not working with jwt token in url
jwt_url_parameter: null

In addition to what @oliryde mentioned, I think this parameter also needs to be set for passing the token in URL to work.

I'm after something similar myself, and will try to test and report back here. But until then, if you have the chance, please test this as well.

[hlakk]

I can confirm that in OpenSearch Dashboards 2.0.1 (docker) jwt token is not recognized as query parameter unless the name of the parameter is urlParamName. Problem seems to be the quotes around variable name in jwt_auth.ts#L60 & jwt_auth.ts#L84

However, jwt token as query parameter does work as expected in OpenSearch Dashboards 1.2.0 (docker).

[peternied]

Thanks for tracking down that root cause @hlakk

[hlakk]

Jwt authentication in Dashboards has stopped working again after upgrading from 2.3.0 to 2.4.1. I provide jwt token as url parameter.

When jwt authentication is enabled OpenSearch Dashboards return {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"} for all requests. Jwt authentication still works for OpenSearch REST API when token given as url parameter. Basic authentication works both Dashboards and OpenSearch REST API.

Configuration that worked on 2.3.0 but does not work on 2.4.1 (did not test 2.4.0):

opensearch_dashboards.yml:

opensearch_security.jwt.enabled: true
opensearch_security.auth.type: "jwt"
opensearch_security.jwt.url_param: "jwt"

opensearch-security/config.yml:

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: <removed>
            jwt_header: "Authorization"
            jwt_url_parameter: "jwt"
            roles_key: "roles"
            subject_key: "sub"
        authentication_backend:
          type: noop

On 2.4.1:

• https://host:9200?jwt=eyJ0eXA... works.
• https://host:5601/app/dashboards?jwt=eyJ0eXA... does not work.

Is it possible to set OpenSearch Dashboards logging more verbose?

[peternied]

@hlakk Thanks for letting us know this is still an issue.

@RyanL1997 Could look into this? Seems also like we should really have a scenario test that confirms this behavior if there are regressions :(

[hlakk]

Thanks for quick reply @peternied.

Configuration that worked on 2.3.0 but does not work on 2.4.1 (did not test 2.4.0):
[...]

I did some experiments in dockerized environment and found out that JWT login stopped working already in OpenSearch Dashboards 2.4.0. Furthermore, at least basic functions of Dashboards 2.3.0 seem to work with OpenSearch 2.4.1.

For now, my plan is to downgrade (just) OpenSearch Dashboards back to 2.3.0.

Please let me know if there are any jwt/login related configuration changes I have missed. Already played with new configuration opensearch_security.auth.multiple_auth_enabled (as false) without success.

[cwperks]

@hlakk Thank you for confirming that it works in 2.3.0, but not 2.4.1. Judging by that, I looked at the commits affecting jwt_auth.ts that were added between the versions and it looks like there is only one: eee08a5#diff-aee02d7ca9207e486e1d457b410083f9a360ed78193028cea11da85e97f61a3d

In that change I see that a function signature for getAdditionalAuthHeader was changed from:

  protected getAdditionalAuthHeader(...

to

  async getAdditionalAuthHeader(...

I believe that await needs to be added to this line https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/authentication_type.ts#L115 so that it waits for the async call to complete.