[BUG] Client certificates not used with openid auth endpoints #1647
Comments
|
[Triage] Hi @Simple-Analysis, @cwperks will follow up but in the meantime if you could provide additional information on your configuration that would be appreciated. It sounds like you may be using a custom configuration of some sort and it is hard to determine the cause of these types of issues without detailed settings. |
|
Hi @scrawfor99, my configuration is not too unique. Our IdP is only accessible behind an API Gateway that enforces mutual TLS, so any request to that endpoint will fail without client certificates. My workaround for the longest time was to reference a pod in the same namespace as OpenSearch that serves the OpenID connect configuration json with modified authorization and token endpoints that do not require mutual TLS (bypassing the API Gateway). I would share this configuration but I operate in an airgapped network. Please let me know if I can answer any questions though! I tried to take a stab at the code changes and submitted the PR. I'm not really familiar with TypeScript, so any feedback would be greatly appreciated. I have not had a chance to run tests yet but I wanted to make this progress known for everyone's awareness. Thank you! |
|
Closing this issue as #1650 has been merged. Thank you for your contribution @Simple-Analysis! |
What is the bug?
Requests made to the openid endpoints fail with 401 errors when client certificate authentication is mandatory for the endpoints. The HTTPS agent used for Wreck is not configured with client certificate options.
HTTPS agent options:
security-dashboards-plugin/server/auth/types/openid/openid_auth.ts
Line 56 in d14bb68
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
Option to configure client certificates for HTTPS agent so that successful requests can be made to all openid endpoints.
What is your host/environment?
The text was updated successfully, but these errors were encountered: