Configuring OpenID Connect for an OpenSearch Cluster

Configure an OpenSearch cluster to use an OpenID Connect identity provider, such as such as Oracle Identity Cloud Service, for authentication and authorization.

Prerequisites

  • An OpenSearch cluster based on OpenSearch version 2.3.0 or newer. For clusters based on older versions of OpenSearch you need to upgrade the cluster, see Upgrading an OpenSearch Cluster.

  • The OpenSearch cluster's security mode is set to ENFORCING, see Updating Cluster Security Mode to Enforcing.

  • You have an OpenID Connect identity provider, such as Oracle Identity Cloud Service, set up and configured to use.

  • You have the OpenID Connect URL for your identity provider, which is the URL for accessing the provider's OpenID Connect metadata and configuration settings.

Enable OpenID with the OpenSearch Security Plugin REST APIs

Use the OpenSearch Security plugin's Configuration API to enable OpenID Connect for an OpenSearch cluster.

The following example shows how to enable OpenID Connect for a cluster, with an OpenID Connect URL example for Oracle Identity Cloud Service. The code also includes setting the security mode to enforcing in the Configuration API call.

PUT _plugins/_security/api/securityconfig/config
{
  "dynamic": {
    "security_mode": "ENFORCING",
    "http": {
      "anonymous_auth_enabled": false,
      "xff": {
        "enabled": false
      }
    },
    "authc": {
      "openid_auth_domain": {
                    "http_enabled": true,
                    "transport_enabled": true,
                    "order": 0,
                    "http_authenticator": {
                        "challenge": false,
                        "type": "openid",
                        "config": {
                            "subject_key": "sub",
                            "roles_key": "sub",
                            "openid_connect_url": "https://idcs-<IDCS_Instance_ID>.identity.oraclecloud.com/.well-known/openid-configuration"
                        }
                    },
                    "authentication_backend": {
                        "type": "noop",
                        "config": {}
                    },
                    "description": "Authenticate using OpenId connect"
                },
                "basic_internal_auth_domain": {
                    "http_enabled": true,
                    "transport_enabled": true,
                    "order": 1,
                    "http_authenticator": {
                        "challenge": true,
                        "type": "basic",
                        "config": {}
                    },
                    "authentication_backend": {
                        "type": "intern",
                        "config": {}
                    },
                    "description": "Authenticate via HTTP Basic against internal users database"
                }
    },
    "authz": null
  }
}

The following example shows the minimum configuration required in the Configuration API call to enable OpenID Connect for a cluster, with an OpenID Connect URL example for Oracle Identity Cloud Service.

PUT _plugins/_security/api/securityconfig/config
{
    "authc": {
      "openid_auth_domain": {
                    "http_enabled": true,
                    "transport_enabled": true,
                    "order": 0,
                    "http_authenticator": {
                        "challenge": false,
                        "type": "openid",
                        "config": {
                            "subject_key": "sub",
                            "roles_key": "sub",
                            "openid_connect_url": "https://idcs-<IDCS_Instance_ID>.identity.oraclecloud.com/.well-known/openid-configuration"
                        }
                    },
                    "authentication_backend": {
                        "type": "noop",
                        "config": {}
                    },
                    "description": "Authenticate using OpenId connect"
    }
  }
}

For additional OpenID Connect configuration options available for an OpenSearch cluster, see OpenSearch - OpenID Connect.

Using OpenID Connect

After you have enabled OpenID Connect for an OpenSearch cluster, you need to get the access token from the OpenID Connect provider you're using. The procedure to get the access token depends on the identity provider you're using. For how to do this for Oracle Identity Cloud Service, see Using Access Token Authorization with My Services API.

You then send the access token as the bearer token in the authorization header when connecting to the OpenSearch cluster, as shown in the following example of a GET request to the Cluster health API:

GET /_cluster/health
Authorization: Bearer <access_token>

More Resources

For more information about OpenID Connect and Oracle Identity Cloud Service, see the following: