opensearch-docs-cn/_troubleshoot/openid-connect.md

---
layout: default
title: Troubleshoot OpenID Connect
nav_order: 30
---

# OpenID Connect troubleshooting

This page includes troubleshooting steps for using OpenID Connect with the Security plugin.


---

#### Table of contents
- TOC
{:toc}


---

## Set log level to debug

To help troubleshoot OpenID Connect, set the log level to `debug` on OpenSearch. Add the following lines in `config/log4j2.properties` and restart the node:

```
logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = trace
```

This setting prints a lot of helpful information to your log file. If this information isn't sufficient, you can also set the log level to `trace`.


## "Failed when trying to obtain the endpoints from your IdP"

This error indicates that the Security plugin can't reach the metadata endpoint of your IdP. In `opensearch_dashboards.yml`, check the following setting:

```
plugins.security.openid.connect_url: "http://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration"
```

If this error occurs on OpenSearch, check the following setting in `config.yml`:

```yml
openid_auth_domain:
  enabled: true
  order: 1
  http_authenticator:
    type: "openid"
    ...
    config:
      openid_connect_url: http://keycloak.examplesss.com:8080/auth/realms/master/.well-known/openid-configuration
    ...
```

## "ValidationError: child 'opensearch_security' fails"

This indicates that one or more of the OpenSearch Dashboards configuration settings are missing.

Check `opensearch_dashboards.yml` and make sure you have set the following minimal configuration:

```yml
plugins.security.openid.connect_url: "..."
plugins.security.openid.client_id: "..."
plugins.security.openid.client_secret: "..."
```


## "Authentication failed. Please provide a new token."

This error has several potential root causes.


### Leftover cookies or cached credentials

Please delete all cached browser data, or try again in a private browser window.


### Wrong client secret

To trade the access token for an identity token, most IdPs require you to provide a client secret. Check if the client secret in `opensearch_dashboards.yml` matches the client secret of your IdP configuration:

```
plugins.security.openid.client_secret: "..."
```


### "Failed to get subject from JWT claims"

This error is logged on OpenSearch and means that the username could not be extracted from the ID token. Make sure the following setting matches the claims in the JWT your IdP issues:

```
openid_auth_domain:
  enabled: true
  order: 1
  http_authenticator:
    type: "openid"
    ...
    config:
      subject_key: <subject key>
    ...
```

### "Failed to get roles from JWT claims with roles_key"

This error indicates that the roles key you configured in `config.yml` does not exist in the JWT issued by your IdP. Make sure the following setting matches the claims in the JWT your IdP issues:

```
openid_auth_domain:
  enabled: true
  order: 1
  http_authenticator:
    type: "openid"
    ...
    config:
      roles_key: <roles key>
    ...
```
Breaks site 2021-05-28 13:48:19 -04:00			`---`
			`layout: default`
			`title: Troubleshoot OpenID Connect`
Fixes site 2021-05-28 14:19:18 -04:00			`nav_order: 30`
Breaks site 2021-05-28 13:48:19 -04:00			`---`

			`# OpenID Connect troubleshooting`

Correct plugin capitalization (#3838) * Correct plugin capitalization Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> * Revert cluster-stats because the name is in response Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> * Revert cluster-stats once more Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> --------- Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> 2023-05-04 11:11:54 -04:00			`This page includes troubleshooting steps for using OpenID Connect with the Security plugin.`
Breaks site 2021-05-28 13:48:19 -04:00

			`---`

			`#### Table of contents`
			`- TOC`
			`{:toc}`


			`---`

			`## Set log level to debug`

			To help troubleshoot OpenID Connect, set the log level to `debug` on OpenSearch. Add the following lines in `config/log4j2.properties` and restart the node:

			```
Correct log4j2 syntax in the example In the [yml format](https://logging.apache.org/log4j/2.x/manual/configuration.html#Configuration_with_Properties) in of the log4j properties file, a logger is declared with logger.LOGGER_NAME.name, the value of LOGGER_NAME can be set as desired by the user. When the example included the `.` operator it was treated as another object and 'security' was referenced as a key which didn't resolve to anything. Signed-off-by: Peter Nied <petern@amazon.com> 2022-03-29 16:51:08 -04:00			`logger.securityjwt.name = com.amazon.dlic.auth.http.jwt`
			`logger.securityjwt.level = trace`
Breaks site 2021-05-28 13:48:19 -04:00			```

			This setting prints a lot of helpful information to your log file. If this information isn't sufficient, you can also set the log level to `trace`.


			`## "Failed when trying to obtain the endpoints from your IdP"`

Correct plugin capitalization (#3838) * Correct plugin capitalization Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> * Revert cluster-stats because the name is in response Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> * Revert cluster-stats once more Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> --------- Signed-off-by: Fanit Kolchina <kolchfa@amazon.com> 2023-05-04 11:11:54 -04:00			This error indicates that the Security plugin can't reach the metadata endpoint of your IdP. In `opensearch_dashboards.yml`, check the following setting:
Breaks site 2021-05-28 13:48:19 -04:00
			```
Updates security settings 2021-06-08 18:35:12 -04:00			`plugins.security.openid.connect_url: "http://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration"`
Breaks site 2021-05-28 13:48:19 -04:00			```

			If this error occurs on OpenSearch, check the following setting in `config.yml`:

			```yml
			`openid_auth_domain:`
			`enabled: true`
			`order: 1`
			`http_authenticator:`
			`type: "openid"`
			`...`
			`config:`
			`openid_connect_url: http://keycloak.examplesss.com:8080/auth/realms/master/.well-known/openid-configuration`
			`...`
			```

			`## "ValidationError: child 'opensearch_security' fails"`

			`This indicates that one or more of the OpenSearch Dashboards configuration settings are missing.`

			Check `opensearch_dashboards.yml` and make sure you have set the following minimal configuration:

			```yml
Updates security settings 2021-06-08 18:35:12 -04:00			`plugins.security.openid.connect_url: "..."`
			`plugins.security.openid.client_id: "..."`
			`plugins.security.openid.client_secret: "..."`
Breaks site 2021-05-28 13:48:19 -04:00			```


			`## "Authentication failed. Please provide a new token."`

			`This error has several potential root causes.`


			`### Leftover cookies or cached credentials`

			`Please delete all cached browser data, or try again in a private browser window.`


			`### Wrong client secret`

			To trade the access token for an identity token, most IdPs require you to provide a client secret. Check if the client secret in `opensearch_dashboards.yml` matches the client secret of your IdP configuration:

			```
Updates security settings 2021-06-08 18:35:12 -04:00			`plugins.security.openid.client_secret: "..."`
Breaks site 2021-05-28 13:48:19 -04:00			```


			`### "Failed to get subject from JWT claims"`

			`This error is logged on OpenSearch and means that the username could not be extracted from the ID token. Make sure the following setting matches the claims in the JWT your IdP issues:`

			```
			`openid_auth_domain:`
			`enabled: true`
			`order: 1`
			`http_authenticator:`
			`type: "openid"`
			`...`
			`config:`
			`subject_key: <subject key>`
			`...`
			```

			`### "Failed to get roles from JWT claims with roles_key"`

			This error indicates that the roles key you configured in `config.yml` does not exist in the JWT issued by your IdP. Make sure the following setting matches the claims in the JWT your IdP issues:

			```
			`openid_auth_domain:`
			`enabled: true`
			`order: 1`
			`http_authenticator:`
			`type: "openid"`
			`...`
			`config:`
			`roles_key: <roles key>`
			`...`
			```