Configure OpenSearch to use OTDS OAuth

This article documents how to configure OpenSearch to use OTDS for OAuth authentication.

📘 OpenSearch configuration

In order to configure OpenSearch to use OTDS for OAuth authentication, do the following.

1. Edit the config.yaml file located in <OpenSearch Home>\config\opensearch-security\config.yaml to add the following code under the authc section. This will configure OpenSearch to use openid for authentication. Note: make sure you update the openid_connect_url to be the fully qualified domain name to otds.

   CODE

   authc:
     openid_auth_domain:
       order: 0
       http_enabled: true
       transport_enabled: true
       http_authenticator:
         type: openid
         challenge: false
         config:
           enable_ssl: true
           verify_hostnames: true
           subject_key: preferred_username
           roles_key: role
           openid_connect_url: <url to otds server>/otdsws/.well-known/openid-configuration
       authentication_backend:
         type: noop

2. Apply the changes to the OpenSearch server by using the following command. Note, just changing this file will have no effect on OpenSearch, it must be applied using the command below.

   CODE

   C:\opensearch\opensearch\plugins\opensearch-security\tools\securityadmin.bat -f C:\opensearch\opensearch\config\opensearch-security\config.yml -t config -icl -nhnv -cacert C:\opensearch\opensearch\config\root-ca.pem -cert C:\opensearch\opensearch\config\kirk.pem -key C:\opensearch\opensearch\config\kirk-key.pem

3. You can confirm the changes in the security tab in OpenSeach Dashboards under Security → Authentication. You should be able to see the openid_auth_domain entry in the list. If it is not there, it is not applied.