To help troubleshoot OpenID Connect, set the log level to `debug` on OpenSearch. Add the following lines in `config/log4j2.properties` and restart the node:
This error indicates that the Security plugin can't reach the metadata endpoint of your IdP. In `opensearch_dashboards.yml`, check the following setting:
## "Authentication failed. Please provide a new token."
This error has several potential root causes.
### Leftover cookies or cached credentials
Please delete all cached browser data, or try again in a private browser window.
### Wrong client secret
To trade the access token for an identity token, most IdPs require you to provide a client secret. Check if the client secret in `opensearch_dashboards.yml` matches the client secret of your IdP configuration:
This error is logged on OpenSearch and means that the username could not be extracted from the ID token. Make sure the following setting matches the claims in the JWT your IdP issues:
```
openid_auth_domain:
enabled: true
order: 1
http_authenticator:
type: "openid"
...
config:
subject_key: <subjectkey>
...
```
### "Failed to get roles from JWT claims with roles_key"
This error indicates that the roles key you configured in `config.yml` does not exist in the JWT issued by your IdP. Make sure the following setting matches the claims in the JWT your IdP issues: