Action [indices:data/read/search] is unauthorized for user

Hello!

I'm currently evaluating Elastic Stack and I have problems related to REST API authorization. I'm not sure if I'm doing something wrong or if there's a bug is Elasticsearch.

I have setup OIDC SSO successfully (using our custom OIDC standards compliant IdP) and I'm able to get access token from Elasticsearch _security/oidc/authenticate endpoint. When I try to use it to invoke kibana_sample_data_ecommerce/_search endpoint, I get following error

The remote server returned an error: (403) Forbidden.. Call: Status code 403 from: POST /kibana_sample_data_ecommerce/_search?typed_keys=true. ServerError: Type: security_exception Reason: "action [indices:data/read/search] is unauthorized for user [admin]"

So it seems that I can authenticate, but authorization fails.

Authenticated user is "admin" like the error message says.
User has access to kibana_sample_data_ecommerce index because I can log in to Kibana as that user and successfully query data using Kibana dev tools.
NEST library is used for search query.
Access token is provided in Authorization header as a Bearer token.
Data is from Kibana eCommerce sample data.

Our IdP returns a profile claim which value I use to assign roles to the authenticated user. Role mapping looks like this

PUT /_security/role_mapping/testrole
{
  "roles": [ "kibana_user", "testrole" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "groups": "testrole" } }
  ] }
}

Elasticsearch.yml has following configuration

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  ...
  rp.requested_scopes: "openid profile email"
  ...
  claims.principal: preferred_username
  claims.mail: email
  claims.groups: profile

And the actual "testrole" role has kibana_sample_data_ecommerce index with "read" and "view_index_metadata" privileges.

Code part using NEST (C#)

var settings = new ConnectionSettings(new Uri("http://localhost:9200"))
	.GlobalHeaders(new NameValueCollection
	{
		{ "Authorization", $"Bearer {elasticOidcAuthenticateResponse.AccessToken}" }
	})
	.DefaultIndex("kibana_sample_data_ecommerce");

var elasticClient = new ElasticClient(settings);

// BUG: This fails because of the following error.
// The remote server returned an error: (403) Forbidden... 
var elasticSearchResponse = elasticClient.Search<dynamic>();

Any ideas what could be wrong?