[Enhancement] Add proxy authentication support to multi-auth framework

[samk-acw]

description

I've setup proxy authentication and it works fine, however I want to also allow basicauth as well to allow non-SSO users, but it doesn't seem to be supported.
Multiple auth types is possible according to https://opensearch.org/docs/latest/security/configuration/multi-auth/ but this doesn't mention proxy auth.
Attempting to configure both proxy and basicauth results in opensearch-dashboards not being able to start, showing "Error: Unsupported authentication type: proxy"

To Reproduce
Steps to reproduce the behavior:

1. set proxy and basicauth types and multiple_auth_enabled in opensearch-dashboards.yml:

opensearch_security.auth.type: ["proxy","basicauth"]
opensearch_security.auth.multiple_auth_enabled: true

2. start opensearch-dashboards
3. startup fails and logs the following:

Error: Unsupported authentication type: proxy
at MultipleAuthentication.init (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/multiple/multi_auth.ts:97:17)
at createAuthentication (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:46:3)
at getAuthenticationHandler (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:91:37)
at SecurityPlugin.setup (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/plugin.ts:119:39)
at PluginsSystem.setupPlugins (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_system.js:101:24)
at PluginsService.setup (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_service.js:117:19)
at Server.setup (/usr/share/opensearch-dashboards/src/core/server/server.js:275:26)
at Root.setup (/usr/share/opensearch-dashboards/src/core/server/root/index.js:70:14)
at bootstrap (/usr/share/opensearch-dashboards/src/core/server/bootstrap.js:133:5)
at Command. (/usr/share/opensearch-dashboards/src/cli/serve/serve.js:193:5)

Expected behavior
dashboards should allow proxy auth in combination with other auth types - eg use proxy auth if the relevant headers are present and request is coming from an allowed proxy, otherwise go to the regular login page.

OpenSearch Version
2.11.1

Dashboards Version
2.11.1

Plugins

defaults

Host/Environment (please complete the following information):
Debian 12

[kavilla]

Hello @samk-acw, thank you for opening.

@opensearch-project/admin, can you please move this to https://github.com/opensearch-project/security-dashboards-plugin

[scrawfor99]

[Triage] Hi @samk-acw, thank you for filing this issue. Currently, multiple authentication forms are only supported for external identity provider sign on options (SAML, OIDC, etc.) and basic auth or bearer auth. That being said, support for proxy authentication alongside basic auth would be a change we would be interested in seeing should you be willing to propose a design or open a PR.

I will mark this as an enhancement and change the title so that it is clear what the issue is requesting. Thank you :)

(Sorry the documentation was not clear on this, we will get that addressed in the meantime)

[cwperks]

The currently support auth types for multiauth can be found here: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/multiple/multi_auth.ts#L51-L101

[Manuelraa]

This really is a big problem. This is completely blocking certain deployments in companies where HTTP proxies are required.