OAuth 2.0 Proxy for OpenSearch
Secure machine-to-machine access with scoped tokens, OIDC federation, and zero breaking changes to your existing cluster.
Secure machine-to-machine access with scoped tokens, OIDC federation, and zero breaking changes to your existing cluster.
OpenSearch has strong auth primitives β but lacks the developer experience layer for machine-to-machine access.
| Capability | Grafana | Datadog | Elastic | OpenSearch | + oauth4os |
|---|---|---|---|---|---|
| OIDC / SSO | β | β | β | β | β |
| API Keys | β | β | β | π 3.7 | β |
| OAuth Apps / Scoped Tokens | β | β | β | β | β |
| Token Governance UI | β | β | β | β | β |
| Cedar Fine-Grained Policies | β | β | β | β | β |
| PKCE (Browser Clients) | β | β | β | β | β |
| Multi-Tenancy | β | β | β | β οΈ | β |
| SDKs (Go/Python/Java/Rust/Node) | β οΈ | β | β | β | β |
oauth4os sits between your clients and OpenSearch β validating tokens, mapping scopes, forwarding requests.
Click each step to see the request and response. Copy commands with one click.
docker compose upβ Expected output:
oauth4os-proxy | listening on :8443
oauth4os-opensearch | OpenSearch Security initialized
oauth4os-keycloak | Keycloak started in 4.2scurl -s -X POST http://localhost:8443/oauth/token \
-d "grant_type=client_credentials" \
-d "client_id=my-agent" \
-d "client_secret=secret" \
-d "scope=read:logs-*"β Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "read:logs-*"
}curl -s -H "Authorization: Bearer $TOKEN" \
http://localhost:8443/logs-*/_search \
-d '{"query":{"match":{"level":"error"}}}'β Response (proxied to OpenSearch):
{
"hits": {
"total": { "value": 42 },
"hits": [
{ "_source": { "level": "error", "message": "connection timeout", "service": "payment" } }
]
}
}curl -s -X POST http://localhost:8443/oauth/revoke \
-d "token=$TOKEN"β Response:
{ "revoked": true }JWKS auto-discovery, RS256/ES256, audience validation, clock skew tolerance.
read:logs-* β OpenSearch logs_reader. Per-provider multi-tenant mappings.
Per-client token bucket. Configurable RPM per scope. 429 + Retry-After.
Issue, refresh, revoke, introspect (RFC 7662). Rotation with reuse detection.
Secure browser auth (RFC 7636). Token exchange (RFC 8693).
Per-OIDC-provider isolation. Separate scope mappings and Cedar policies.
Token management UI in OpenSearch Dashboards. List, create, revoke.
AI agent integration. 7 tools: search, aggregate, create index, mappings.
CLI with auto-refresh. SDKs for Go, Python, Java, Rust, Node.js.
Prometheus metrics, Grafana dashboard, structured JSON logging, OTel tracing.
mTLS, IP allowlist, session management, key rotation, backup/restore, webhooks.
Tools and integrations for every workflow.
Get scoped tokens in CI/CD. Auto-masked in logs.
Token management, query OpenSearch, inspect scopes from IDE.
Manage clients, scopes, policies as Terraform resources.
Go, Python, Java, Rust, Node.js. Token auto-refresh built in.
One-command Kubernetes deployment with configurable values.
Dev, demo, and monitoring stacks. Prometheus + Grafana included.
JWT, scope mapping, Cedar, rate limiting, PKCE, introspection, OSD plugin, MCP server, CLI.
Multi-tenancy, token exchange, key rotation, CI/CD, Helm, CDK, benchmarks, docs.
mTLS, IP filter, sessions, webhooks, SDKs (5 languages), VS Code, GitHub Action, Terraform.