[FEATURE] Multi-auth dashboards support for JWT
10000-ki opened this issue · comments
Is your feature request related to a problem?
What solution would you like?
Hello
we can set order of auth in opensearch
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
# oidc with jwks_uri
jwks_auth_domain:
description: "Authenticate via JWKS"
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: openid
challenge: false
config:
jwt_header: "Authorization"
jwt_url_parameter: null
subject_key: "sub"
roles_key: "scp"
jwks_uri: {{ jwksUri }}
authentication_backend:
type: noop
# basic auth, using internal user db
basic_internal_auth_domain:
description: "Authenticate using HTTP basic against the internal users database"
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
but dashboards not
so In dashboards, jwt and basic_auth cannot be used simultaneously
What alternatives have you considered?
Do you have any additional context?
I hope it will support like opensearch
@10000-ki That's correct, its not currently supported at the moment. For multi-auth, the currently supported options are openid
, saml
and basic
. List of supported options: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/multiple/multi_auth.ts#L55-L100
I believe it would be possible to add JWT here, but there should be testing done with different combinations.
When JWT is enabled as a sign in option for dashboards you supply the token through a URL param and avoid the login page entirely.
When JWT is enabled as a sign in option for dashboards you supply the token through a URL param and avoid the login page entirely.
i see
For token-based authentication, the login screen should not be visible
And for basic_auth-based authentication, the login screen should be visible
So are you saying that the test for this situation is complicated?
[Triage] Hi @10000-ki, thanks for filing this issue. From the conversation, it looks like the goal here is to add multi-auth support for dashboards to be able to support both Basic auth and JWT auth. I have renamed this issue for you and we can go ahead and close this when:
- There is correct UI handling for the login skip
- Tests are added on the cypress suite for checking the correct auth flows
[Triage] Hi @10000-ki, thanks for filing this issue. From the conversation, it looks like the goal here is to add multi-auth support for dashboards to be able to support both Basic auth and JWT auth. I have renamed this issue for you and we can go ahead and close this when:
- There is correct UI handling for the login skip
- Tests are added on the cypress suite for checking the correct auth flows
yes i agree