Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] OIDC redirect fails when custom security_tenant used #2149

Closed
tr0k opened this issue Nov 29, 2024 · 2 comments
Closed

[BUG] OIDC redirect fails when custom security_tenant used #2149

tr0k opened this issue Nov 29, 2024 · 2 comments
Labels
bug Something isn't working triaged

Comments

@tr0k
Copy link

tr0k commented Nov 29, 2024

What is the bug?

In v2.15 the redirect to a goto dashboard with OIDC and custom security_tenant redirects back with an Internal 500 error due to missing security_tenant property in the URL.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Create a short URL from a dashboard like inside a custom tenant such as "test": goto/1234586f487e962d0dffb912345?security_tenant=test
  2. Start a new OpenSearch Dashboards session with clean cookies.
  3. Access the /goto/* URL and go via the OIDC login page
  4. In the web browser after the redirect you can see
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred."}

due to missing ?security_tenant
5. See the error in the opensearch dashboard logs:

{"type":"log","@timestamp":"2024-11-29T11:13:22Z","tags":["error","http","server","OpenSearchDashboards"],"pid":969180,"message":"TypeError: Cannot read properties of undefined (reading 'location')\n
 at addTenantParameterToResolvedShortLink (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/multitenancy/tenant_resolver.ts:213:46)\n    at /usr/share/opensearch-dashboards/plugins/sec
urityDashboards/server/plugin.ts:140:46\n    at interceptPreResponse (/usr/share/opensearch-dashboards/src/core/server/http/lifecycle/on_pre_response.js:107:30)\n    at exports.Manager.execute (/usr/sha
re/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:57:29)\n    at Request._invoke (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:398:55)\n    at processTicksAndRej
ections (node:internal/process/task_queues:95:5)\n    at Request._postCycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:469:32)\n    at Request._reply (/usr/share/opensearch
-dashboards/node_modules/@hapi/hapi/lib/request.js:448:9)"}
{"type":"error","@timestamp":"2024-11-29T11:13:22Z","tags":[],"pid":969180,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiRes
ponseAdapter.toInternalError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:69:19)\n    at interceptPreResponse (/usr/share/opensearch-dashboards/src/core/server/http/
lifecycle/on_pre_response.js:139:34)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:57:29)\n    at Request._invoke (/usr/share/opensearch-dashbo
ards/node_modules/@hapi/hapi/lib/request.js:398:55)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at Request._postCycle (/usr/share/opensearch-dashboards/node_modules/@
hapi/hapi/lib/request.js:469:32)\n    at Request._reply (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:448:9)"},"url":"http://localhost:XXXX/goto/123451234512345","message":"Internal Server Error"}
(...)
"connection":"Keep-Alive","securitytenant":""},"remoteAddress":"::1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) C
hrome/131.0.0.0 Safari/537.36"},"res":{"statusCode":500,"responseTime":23,"contentLength":9},"message":"GET

What is the expected behavior?
Redirect to goto/1234586f487e962d0dffb912345?security_tenant=test with the ?security_tenant=test instead.
This works when used explicitly after the OIDC session has been initialized.

What is your host/environment?

  • OpenSearch Dashboards: 2.15
  • Plugins: security plugin
  • OIDC Dashboards config:
opensearch:
 password: "XXX"
 username: 'XXX'
 hosts: 'https://localhost:XXXX'
 ssl.verificationMode: 'certificate'
 ssl.certificateAuthorities: 'XXX.crt'
 requestHeadersWhitelist: ['securitytenant', 'Authorization', 'x-proxy-user', 'cookie', 'x-forwarded-for', 'X-Api-key', 'X-Forwarded-User', 'X-Forwarded-For', 'x-tenants-enabled']
 requestTimeout: 600000

opensearch_security:
 auth:
   type: 'openid'
 cookie:
   secure: true
   ttl: 86400000
 session:
   ttl: 86400000
   keepalive: true
 multitenancy:
   enabled: true
   tenants:
     enable_private: true
     enable_global: true
     preferred: ['Global','Private']

 readonly_mode.roles: ['kibana_read_only']
 openid:
   scope: 'openid'
   base_redirect_url: 'https://XXX/dashboards'
   connect_url: 'https://auth.XXX/.well-known/openid-configuration'
   client_id: 'XXX'
   client_secret: "XXXX"
   refresh_tokens: true
@tr0k tr0k added bug Something isn't working untriaged labels Nov 29, 2024
@cwperks cwperks added triaged and removed untriaged labels Dec 2, 2024
@cwperks
Copy link
Member

cwperks commented Dec 2, 2024

[Triage] Thank you for filing this issue @tr0k. I believe #2140 will resolve this issue and its targeted for the next release 2.19.0.

@tr0k
Copy link
Author

tr0k commented Dec 2, 2024

Thank you @cwperks, indeed I missed the other open issue.

@tr0k tr0k closed this as completed Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triaged
Projects
None yet
Development

No branches or pull requests

2 participants