Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dynamically compute OpenID redirectUri from proxy HTTP headers #929

Merged
merged 4 commits into from
Jun 8, 2022

Conversation

jaycci
Copy link
Contributor

@jaycci jaycci commented Mar 26, 2022

Description

The OpenID redirectURI can be dynamically computed from proxy HTTP headers (X-Forwarded-*) if its new specific parameter is turned on in the configuration file (opensearch_security.openid.trust_dynamic_headers).

Category

Enhancement

Why these changes are required?

My company hosts one Opensearch Dashboards shared by many users (with tenants). We have a federated IAM based on OpenID configuration. The Opensearch Dashboards is behind a reverse proxy. We have a specific URL for each client that points to the same Opensearch Dashboards, thus we need to set dynamically the redirectURI.

Opensearch Dashboards should have a new option allowing dynamic configuration of the redirectURI, based on information sent by a reverse proxy.

What is the old behavior before changes and new behavior after changes?

  • Old behavior: redirectURI is hardcoded in Opensearch Dashboards configuration file.
  • New behavior: same as old behavior, plus redirectURI computed from X-Forwarded-* headers if new configuration option says so; default "no" to not break anything.

Testing

manual testing:

trust_dynamic_headers: FALSE trust_dynamic_headers: TRUE
base_redirect_url: UNDEF scheme://host:port X-Forwarded-Proto://X-Forwarded-Host if defined in HTTP headers
base_redirect_url: "VALUE" "VALUE" "VALUE"

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

Documentation: I will document the new parameter in https://github.com/opensearch-project/documentation-website/blob/main/_security-plugin/configuration/openid-connect.md#configuration-parameters as soon as you are OK with my PR.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@jaycci jaycci requested a review from a team March 26, 2022 15:57
@codecov-commenter
Copy link

codecov-commenter commented Mar 27, 2022

Codecov Report

Merging #929 (7d3ff9f) into main (2de0e4e) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #929   +/-   ##
=======================================
  Coverage   72.10%   72.10%           
=======================================
  Files          87       87           
  Lines        1907     1907           
  Branches      247      247           
=======================================
  Hits         1375     1375           
  Misses        478      478           
  Partials       54       54           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2de0e4e...7d3ff9f. Read the comment docs.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, please add unit tests for the new method in helper.test.ts.

The integration test failure is likely unrelated and is being worked on in #930

@jaycci
Copy link
Contributor Author

jaycci commented Apr 8, 2022

@peternied I've added the unit tests you asked me. Do not hesitate to ask me if I need to do anything else.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks for adding the tests. I have just one more ask please create an issue so this new configuration is documented. You can use this issue as a template opensearch-project/documentation-website#494

Let me know if you need a hand with this

@jaycci
Copy link
Contributor Author

jaycci commented Apr 9, 2022

@peternied For faster processing, I've directly created a PR on the documentation project: opensearch-project/documentation-website#499. Let me know if it's OK or if I need to do anything else.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks great

@peternied
Copy link
Member

@opensearch-project/security Could we get another reviewer to take a look at this PR?

@cliu123 cliu123 merged commit c19b01f into opensearch-project:main Jun 8, 2022
spartan2015 pushed a commit to spartan2015/security-dashboards-plugin that referenced this pull request Aug 8, 2022
…earch-project#929)

Signed-off-by: Jean-Christian Simonetti <[email protected]>

Co-authored-by: Peter Nied <[email protected]>
Co-authored-by: Chang Liu <[email protected]>
Signed-off-by: Vasile Negru <[email protected]>
@pratikshavyas
Copy link

With Opensearch dashboards v2.2.1, On access of UI, redirection is not considering value set for server.basePath and opensearch_security.openid.base_redirect_url as it is redirecting to "/" after authentication with openid.
Please check if this bug is introduced as part of this change and it has impacted url routing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants