OpenID Connect troubleshooting

    To help troubleshoot OpenID Connect, set the log level to on OpenSearch. Add the following lines in config/log4j2.properties and restart the node:

    This setting prints a lot of helpful information to your log file. If this information isn’t sufficient, you can also set the log level to trace.

    This error indicates that the Security plugin can’t reach the metadata endpoint of your IdP. In opensearch_dashboards.yml, check the following setting:

    1. plugins.security.openid.connect_url: "http://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration"

    This indicates that one or more of the OpenSearch Dashboards configuration settings are missing.

    Check opensearch_dashboards.yml and make sure you have set the following minimal configuration:

    2. plugins.security.openid.client_id: "..."
    3. plugins.security.openid.client_secret: "..."

    This error has several potential root causes.

    To trade the access token for an identity token, most IdPs require you to provide a client secret. Check if the client secret in opensearch_dashboards.yml matches the client secret of your IdP configuration:

    This error is logged on OpenSearch and means that the username could not be extracted from the ID token. Make sure the following setting matches the claims in the JWT your IdP issues:

    1. openid_auth_domain:
    2.   order: 1
    4.     type: "openid"
    5.     ...
    6.     config:
    7.       subject_key: <subject key>

    This error indicates that the roles key you configured in config.yml does not exist in the JWT issued by your IdP. Make sure the following setting matches the claims in the JWT your IdP issues: