[BUG] Missing background refresh of OIDC access_token

[MMerzinger]

Describe the bug

The opensearch-dashboards app does not use the OIDC refresh token, despite having refresh_tokens: true in the config.

This leads to a full page refresh every 5mins (as our access_token has a 5min ttl). In the browser log we can see that a redirect to Keycloak happens (login via Kerberos) and a new access_token is issued.

To Reproduce
Steps to reproduce the behavior:

1. Configure Keycloak as identity provider (https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
2. Configure opensearch with OIDC

       config.yml: |
          _meta:
            type: "config"
            config_version: 2
          config:
            dynamic:
              authc:
                basic_internal_auth_domain:
                  http_enabled: true
                  transport_enabled: true
                  order: 1
                  http_authenticator:
                    type: basic
                    challenge: false
                  authentication_backend:
                    type: intern
                openid_auth_domain:
                  http_enabled: true
                  transport_enabled: true
                  order: 0
                  http_authenticator:
                    type: openid
                    challenge: false
                    config:
                      openid_connect_idp:
                        enable_ssl: true
                        verify_hostnames: true
                        skip_users:
                          - <REMOVED>
                      subject_key: preferred_username
                      roles_key: roles
                      openid_connect_url: https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/.well-known/openid-configuration

3. Configure opensearch-dashboards with OIDC and token_refresh: true

    opensearch_dashboards.yml:

      logging.verbose: true

      server.host: "0.0.0.0"
      
      opensearch.hosts: ["https://opensearch-cluster-master:9200"]
      opensearch.ssl.verificationMode: none # Disabled for testing
      opensearch.ssl.certificateAuthorities: [ "/path/to/our/cert/tls.crt" ]
      opensearch.username: "<REMOVED>"
      opensearch.password: "<REMOVED>"
      opensearch.requestHeadersWhitelist: [ "Authorization", "security_tenant", "securitytenant" ]
          
      opensearch_security.multitenancy.enabled: true
      opensearch_security.multitenancy.tenants.preferred: ["SHARED"]
      opensearch_security.multitenancy.tenants.enable_private: false
      opensearch_security.multitenancy.tenants.enable_global: false
      opensearch_security.readonly_mode.roles: ["kibana_read_only"]
      opensearch_security.cookie.secure: false
      opensearch_security.auth.type: "openid"
      opensearch_security.openid.refresh_tokens: true
      opensearch_security.openid.connect_url: "https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/.well-known/openid-configuration"      
      opensearch_security.openid.client_id: "opensearch"
      opensearch_security.openid.client_secret: "<REMOVED>"
      opensearch_security.openid.base_redirect_url: "https://<OPENSEARCH_HOST>"
      opensearch_security.openid.verify_hostnames: "false" # Disabled for testing
      opensearch_security.openid.scope: "openid"
      opensearch_security.openid.logout_url: "https://<KEYCLOAK_HOST>/realms/<KEYCLOAK_REALM>/protocol/openid-connect/logout"
      opensearch_security.openid.extra_storage.cookie_prefix: "security_authentication_oidc"
      opensearch_security.openid.extra_storage.additional_cookies: 10 # Usually around 3 cookies, some power users need more

4. Make sure your access_token is issued with a ttl of about 5mins
5. Login to opensearch-dashboards
6. Go to discover and query any of the available index patterns. Wait here 5 mins.
7. Open the Network Tab of the Browser Developer Tools
8. Click on refresh (not the browser refresh -> use the refresh button of the opensearch-dashboards app)
9. Observe that the API returns a 401 and a redirect to Keycloak

Expected behavior
The opensearch-dashboards app uses the refresh token in the background to request a new access_token (and no redirect to Keycloak).

OpenSearch Version
2.13.0

Dashboards Version
2.13.0

Plugins

All plugins installed by default (see https://opensearch.org/docs/latest/install-and-configure/plugins/#bundled-plugins).

We rely mainly on the opensearch-security, opensearch-index-management and notifications plugin.

Screenshots

Host/Environment (please complete the following information):

• OS: Containers from DockerHub (Amazon Linux 2023.4.20240401) with the tag 2.13.0, deployed on Kubernetes (GKE) v1.27.8-gke.1500 using the helm chart 2.19 (opensearch) and 2.17 (opensearch-dashboards)
• Browser: Chrome 124.0.6367.119

Additional context

Related issues

• https://forum.opensearch.org/t/opensearch-dashboards-can-not-auto-refresh-access-token/14949
• [BUG] OpenID Token not refreshed #1522

We had to increase our access_token ttl as an intermediate solution, as described in the issue 1522.

[kavilla]

@opensearch-project/admin @opensearch-project/triage could we move this to the secuirty dashboards plugin repo.

[jpelletier412]

We are experiencing the same issue with the same setup - Opensearch 2.13.0, Opensearch-Dashboards 2.13.0, using Keycloak as our Oauth provider.

[stephen-crawford]

[Triage] Hi @MMerzinger thank you for filing this issue. I think this is the result of some changes recently made by @derek-ho around handling of the refresh tokens. Derek could you share whether this is intended etc.?

[Jakob3xD]

With Opensearch 2.15 it seems to be fixed. At least for me.

[derek-ho]

Thanks @Jakob3xD for confirming! Yes @cwperks and @Alankarsharma merged in a fix for this in 2.15. After upgrade this problem should go away. Closing

[briend]

I opened a related issue that looks just like this (to me) but only affects the /app/dashboards UI #2025