Dynamically compute OpenID redirectUri from proxy HTTP headers

[jaycci]

Description

The OpenID redirectURI can be dynamically computed from proxy HTTP headers (X-Forwarded-*) if its new specific parameter is turned on in the configuration file (opensearch_security.openid.trust_dynamic_headers).

Category

Enhancement

Why these changes are required?

My company hosts one Opensearch Dashboards shared by many users (with tenants). We have a federated IAM based on OpenID configuration. The Opensearch Dashboards is behind a reverse proxy. We have a specific URL for each client that points to the same Opensearch Dashboards, thus we need to set dynamically the redirectURI.

Opensearch Dashboards should have a new option allowing dynamic configuration of the redirectURI, based on information sent by a reverse proxy.

What is the old behavior before changes and new behavior after changes?

• Old behavior: redirectURI is hardcoded in Opensearch Dashboards configuration file.
• New behavior: same as old behavior, plus redirectURI computed from X-Forwarded-* headers if new configuration option says so; default "no" to not break anything.

Testing

manual testing:

	trust_dynamic_headers: FALSE	trust_dynamic_headers: TRUE
base_redirect_url: UNDEF	scheme://host:port	X-Forwarded-Proto://X-Forwarded-Host if defined in HTTP headers
base_redirect_url: "VALUE"	"VALUE"	"VALUE"

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

Documentation: I will document the new parameter in https://github.com/opensearch-project/documentation-website/blob/main/_security-plugin/configuration/openid-connect.md#configuration-parameters as soon as you are OK with my PR.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #929 (7d3ff9f) into main (2de0e4e) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #929   +/-   ##
=======================================
  Coverage   72.10%   72.10%           
=======================================
  Files          87       87           
  Lines        1907     1907           
  Branches      247      247           
=======================================
  Hits         1375     1375           
  Misses        478      478           
  Partials       54       54           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2de0e4e...7d3ff9f. Read the comment docs.

[peternied]

Thanks for the contribution, please add unit tests for the new method in helper.test.ts.

The integration test failure is likely unrelated and is being worked on in #930

[jaycci]

@peternied I've added the unit tests you asked me. Do not hesitate to ask me if I need to do anything else.

[peternied]

Looks great, thanks for adding the tests. I have just one more ask please create an issue so this new configuration is documented. You can use this issue as a template opensearch-project/documentation-website#494

Let me know if you need a hand with this

[jaycci]

@peternied For faster processing, I've directly created a PR on the documentation project: opensearch-project/documentation-website#499. Let me know if it's OK or if I need to do anything else.

[peternied]

Thanks! Looks great

[peternied]

@opensearch-project/security Could we get another reviewer to take a look at this PR?

[pratikshavyas]

With Opensearch dashboards v2.2.1, On access of UI, redirection is not considering value set for server.basePath and opensearch_security.openid.base_redirect_url as it is redirecting to "/" after authentication with openid.
Please check if this bug is introduced as part of this change and it has impacted url routing.