-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamically compute OpenID redirectUri from proxy HTTP headers #929
Conversation
Codecov Report
@@ Coverage Diff @@
## main #929 +/- ##
=======================================
Coverage 72.10% 72.10%
=======================================
Files 87 87
Lines 1907 1907
Branches 247 247
=======================================
Hits 1375 1375
Misses 478 478
Partials 54 54 Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, please add unit tests for the new method in helper.test.ts.
The integration test failure is likely unrelated and is being worked on in #930
Signed-off-by: Jean-Christian Simonetti <[email protected]>
Signed-off-by: Jean-Christian Simonetti <[email protected]>
@peternied I've added the unit tests you asked me. Do not hesitate to ask me if I need to do anything else. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks for adding the tests. I have just one more ask please create an issue so this new configuration is documented. You can use this issue as a template opensearch-project/documentation-website#494
Let me know if you need a hand with this
@peternied For faster processing, I've directly created a PR on the documentation project: opensearch-project/documentation-website#499. Let me know if it's OK or if I need to do anything else. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Looks great
@opensearch-project/security Could we get another reviewer to take a look at this PR? |
…earch-project#929) Signed-off-by: Jean-Christian Simonetti <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Chang Liu <[email protected]> Signed-off-by: Vasile Negru <[email protected]>
With Opensearch dashboards v2.2.1, On access of UI, redirection is not considering value set for server.basePath and opensearch_security.openid.base_redirect_url as it is redirecting to "/" after authentication with openid. |
Description
The OpenID redirectURI can be dynamically computed from proxy HTTP headers (
X-Forwarded-*
) if its new specific parameter is turned on in the configuration file (opensearch_security.openid.trust_dynamic_headers
).Category
Enhancement
Why these changes are required?
My company hosts one Opensearch Dashboards shared by many users (with tenants). We have a federated IAM based on OpenID configuration. The Opensearch Dashboards is behind a reverse proxy. We have a specific URL for each client that points to the same Opensearch Dashboards, thus we need to set dynamically the redirectURI.
Opensearch Dashboards should have a new option allowing dynamic configuration of the redirectURI, based on information sent by a reverse proxy.
What is the old behavior before changes and new behavior after changes?
X-Forwarded-*
headers if new configuration option says so; default "no" to not break anything.Testing
manual testing:
trust_dynamic_headers
:FALSE
trust_dynamic_headers
:TRUE
base_redirect_url
:UNDEF
scheme://host:port
X-Forwarded-Proto://X-Forwarded-Host
if defined in HTTP headersbase_redirect_url
: "VALUE"Check List
Documentation: I will document the new parameter in https://github.com/opensearch-project/documentation-website/blob/main/_security-plugin/configuration/openid-connect.md#configuration-parameters as soon as you are OK with my PR.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.