From 913e1277038a5b23eda93f79085cedd0c3e72fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=B6chlin?= Date: Fri, 24 Oct 2025 13:15:40 +0200 Subject: [PATCH] Update openid-connect.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marc Schöchlin --- .../authentication-backends/openid-connect.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/_security/authentication-backends/openid-connect.md b/_security/authentication-backends/openid-connect.md index 32b7845b5aa..343d9ec719c 100755 --- a/_security/authentication-backends/openid-connect.md +++ b/_security/authentication-backends/openid-connect.md @@ -439,16 +439,26 @@ config: The following steps use Docker and [Keycloak IdP](https://www.keycloak.org/) to set up a basic authentication backend: - 1. Download and unzip the [example OpenID Connect zip file]({{site.url}}{{site.baseurl}}/assets/examples/oidc_example.zip) + (TODO: add a reference to the source of this environment.) 2. Update the `.env` file with a strong password for the `admin` user. 3. Substitute the `{IP}` placeholders in `config.yml` and `opensearch_dashboards.yml` with the IP of the local machine. + (you have to use a real ip address and not a loopback address like `127.0.0.1`) + ``` + MY_PRIMARY_IP=$(hostname -I | awk '{print $1}') + sed -i "~s,{\?{IP}}\?,${MY_PRIMARY_IP}," *.yml + ``` 4. Review the following files: - `docker-compose.yml` defines a single OpenSearch node, OpenSearch Dashboards, and Keycloak server. - `new-realm.json` specifies the details of the [realm](https://www.keycloak.org/docs/latest/server_admin/#core-concepts-and-terms). In this example, the realm is named `new`. - `config.yml` configures `basic_internal_auth_domain` and `oidc_auth_domain`. - `opensearch_dashboards.yml` should point to Keycloak for authentication. Make sure that the `opensearch_security.openid.connect_url` setting points to the URL of the realm. 5. At the command line, run `docker compose up`. -6. Access OpenSearch Dashboards at `http://localhost:5601` and log in with username `testuser` and password `testpassword` configured in the `new-realm.json` file. +6. Access OpenSearch Dashboards at `http://localhost:5601` and log in with username `testuser` and password `testpassword` configured in the `new-realm.json` file. + +Details about the environment: -After logging in, the `testuser` receives the backend role `admin` from Keycloak, which is mapped to the `all_access` OpenSearch role. These backend roles can be managed using the Keycloak Administrative Console at http://localhost:8080, using username `admin` and password `admin`. +* After logging in, the `testuser` receives the backend role `admin` from Keycloak, which is mapped to the `all_access` OpenSearch role. +* Backend roles can be managed using the Keycloak Administrative Console at http://localhost:8080 + (using username `admin` and password `admin`.) +* Create a