What is the bug?
defining a JWT auth domain with a public key rather than JWKS leads to the following warnings in the logs:
{"type": "server", "timestamp": "2026-04-22T13:53:59,872+0000", "level": "WARN", "component": "o.o.s.a.h.j.k.HTTPJwtKeyByJWKSAuthenticator", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "jwks_uri is not configured, will use static JWT authentication fallback", "cluster.uuid": "KuIGqc7HSQ6myDn6WbTYcA", "node.id": "mPH-Bb3xSB-vgUbZszl0Gw" }
{"type": "server", "timestamp": "2026-04-22T13:53:59,879+0000", "level": "WARN", "component": "o.o.s.a.h.j.k.HTTPJwtKeyByJWKSAuthenticator", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "jwks_uri is not configured, falling back to static JWT authentication", "cluster.uuid": "KuIGqc7HSQ6myDn6WbTYcA", "node.id": "mPH-Bb3xSB-vgUbZszl0Gw" }IMHO these should be DEBUG or at best INFO level messages.
How can one reproduce the bug?
define an auth domain like this:
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: jwt
challenge: false
config:
signing_key: your-public-key-here
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: example_roles
subject_key: null
required_issuer: example
required_audience: example
authentication_backend:
type: noopWhat is the expected behavior?
defining a JWT auth domain with a public key rather than JWKS should be perfectly acceptable.
What is your host/environment?
- OS: linux
- Version OpenSearch 3.6.0
- Plugins security
Do you have any screenshots?
n/a
Do you have any additional context?
this warning did not exist in 2.x
What is the bug?
defining a JWT auth domain with a public key rather than JWKS leads to the following warnings in the logs:
{"type": "server", "timestamp": "2026-04-22T13:53:59,872+0000", "level": "WARN", "component": "o.o.s.a.h.j.k.HTTPJwtKeyByJWKSAuthenticator", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "jwks_uri is not configured, will use static JWT authentication fallback", "cluster.uuid": "KuIGqc7HSQ6myDn6WbTYcA", "node.id": "mPH-Bb3xSB-vgUbZszl0Gw" } {"type": "server", "timestamp": "2026-04-22T13:53:59,879+0000", "level": "WARN", "component": "o.o.s.a.h.j.k.HTTPJwtKeyByJWKSAuthenticator", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "jwks_uri is not configured, falling back to static JWT authentication", "cluster.uuid": "KuIGqc7HSQ6myDn6WbTYcA", "node.id": "mPH-Bb3xSB-vgUbZszl0Gw" }IMHO these should be
DEBUGor at bestINFOlevel messages.How can one reproduce the bug?
define an auth domain like this:
What is the expected behavior?
defining a JWT auth domain with a public key rather than JWKS should be perfectly acceptable.
What is your host/environment?
Do you have any screenshots?
n/a
Do you have any additional context?
this warning did not exist in 2.x