[BUG] OAUTH2.0 Access Token to access Opnesearch Cluster from an API #3363
Description
What is the bug?
Since the last update done on 2.8 version to include audience and issuer check I was hoping to get our APIs authenticate with opensearch cluster using oauth2.0 access token generated from our IDP but now I am blocked by another possible bug where opensearch cluster OIDC setup is expecting Subject Key which I have configured as Preferred Name and which won't be available for access token generated from a system using client credential flow. If I remove the entry of Subject Key from cluster config then my Dashboard gets messed up with alphanumric auto generated subject key as profile name. This is one issue. Another issue is related where Dashboard generates and send ID Token to cluster rather access token due to which I cannot configure my Opensearch cluster with a different resource server id and have to use same id I used in dashboard because the audience won't match of id token. If Dashboard would have sent access token to cluster then problem would have been solved where my cluster will act as resource server with its own id and dahboard will be a UI client and my API will be another client both having permission with right role/scope of cluster resource server id.
How can one reproduce the bug?
Dashboard configure with an UI registration with your IDP
Cluster configure with Another ID as resource server
API to access cluster directly using access token generated by a client id having permission to resource server of cluster
Subject Key issue is self explanatory I assume.
What is the expected behavior?
To achiever OIDC and OAUTH2.0 flow working for Dashboard and API calling cluster directly using client credential flow