[FEATURE] Multi-auth dashboards support for JWT

Question

[FEATURE] Multi-auth dashboards support for JWT

10000-ki opened this issue 3 months ago · comments

10000-ki commented 3 months ago

Is your feature request related to a problem?

What solution would you like?

Hello

we can set order of auth in opensearch

config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false

        authc:
          # oidc with jwks_uri
          jwks_auth_domain:
            description: "Authenticate via JWKS"
            http_enabled: true
            transport_enabled: false
            order: 0
            http_authenticator:
              type: openid
              challenge: false
              config:
                jwt_header: "Authorization"
                jwt_url_parameter: null
                subject_key: "sub"
                roles_key: "scp"
                jwks_uri: {{ jwksUri }}
            authentication_backend:
              type: noop

          # basic auth, using internal user db
          basic_internal_auth_domain:
            description: "Authenticate using HTTP basic against the internal users database"
            http_enabled: true
            transport_enabled: false
            order: 1
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: internal

but dashboards not

so In dashboards, jwt and basic_auth cannot be used simultaneously

What alternatives have you considered?

Do you have any additional context?

10000-ki · Answer 1 · Tue Mar 05 2024 18:43:15 GMT+0800 (China Standard Time)

I hope it will support like opensearch

Craig Perkins · Answer 2 · Tue Mar 05 2024 22:40:12 GMT+0800 (China Standard Time)

@10000-ki That's correct, its not currently supported at the moment. For multi-auth, the currently supported options are openid, saml and basic. List of supported options: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/multiple/multi_auth.ts#L55-L100

I believe it would be possible to add JWT here, but there should be testing done with different combinations.

When JWT is enabled as a sign in option for dashboards you supply the token through a URL param and avoid the login page entirely.

10000-ki · Answer 3 · Wed Mar 06 2024 18:39:06 GMT+0800 (China Standard Time)

When JWT is enabled as a sign in option for dashboards you supply the token through a URL param and avoid the login page entirely.

i see

For token-based authentication, the login screen should not be visible
And for basic_auth-based authentication, the login screen should be visible

So are you saying that the test for this situation is complicated?

Stephen Crawford · Answer 4 · Mon Mar 11 2024 23:14:54 GMT+0800 (China Standard Time)

[Triage] Hi @10000-ki, thanks for filing this issue. From the conversation, it looks like the goal here is to add multi-auth support for dashboards to be able to support both Basic auth and JWT auth. I have renamed this issue for you and we can go ahead and close this when:

There is correct UI handling for the login skip
Tests are added on the cypress suite for checking the correct auth flows

10000-ki · Answer 5 · Thu Mar 14 2024 15:04:42 GMT+0800 (China Standard Time)

@scrawfor99

[Triage] Hi @10000-ki, thanks for filing this issue. From the conversation, it looks like the goal here is to add multi-auth support for dashboards to be able to support both Basic auth and JWT auth. I have renamed this issue for you and we can go ahead and close this when:

There is correct UI handling for the login skip

Tests are added on the cypress suite for checking the correct auth flows

yes i agree