Case sensitive Email ID handler for OpenID based User authentication

Elastic Stack Elasticsearch
1

When providing OpenID based access to the users in ES, the Email-IDs are taken as case sensitive i.e. if an user has email, Xyz.Abc@foo.com, if I give the Email-ID as xyz.abc@foo.com, the user is unable to login. Is there any way we can make this Email-ID case insensitive in Elasticsearch?
ES version: 7.3.2
Tier: Platinum X-Pack enabled
User Authentication: OpenID based
Current role-mapping request:

PUT _security/role_mapping/foo_read_user_01?pretty
{
    "roles": [
        "foo_client",
        "kibana_dashboard_only_user"
    ],
    "enabled": true,
    "rules": {
        "all": [
            {
                "field": {
                    "realm.name": "oidc1"
                }
            },
            {
                "field": {
                    "username": [
                        "Xyz.Abc@foo.com",
                        "Bar.Yahoo@foo.com",
                        "FOOBAR@foo.com",
                        "foozbaR@foo.com"
                    ]
                }
            }
        ]
    }
}

Expected role-mapping request:

PUT _security/role_mapping/foo_read_user_01?pretty
{
    "roles": [
        "foo_client",
        "kibana_dashboard_only_user"
    ],
    "enabled": true,
    "rules": {
        "all": [
            {
                "field": {
                    "realm.name": "oidc1"
                }
            },
            {
                "field": {
                    "username": [
                        "xyz.abc@foo.com",
                        "bar.yahoo@foo.com",
                        "foobar@foo.com",
                        "foozbar@foo.com"
                    ]
                }
            }
        ]
    }
}

Please let me know if you need any additional details.

2

I agree that since OpenID Connect imposes no restrictions on the case sensitivity of the claim values neither in the core spec nor in the JSON Web Token claims registry for most of the claims*, we could either default to being non-sensitive or allow this to be configurable.

Unfortunately, you can't do this at this time. We have an issue open for the LDAP realm which is highly similar to this one, I'll add a comment there so that this can be handled at the same time once this can be tackled. ( https://github.com/elastic/elasticsearch/issues/48120 )

* sub, iss etc. are defined as case sensitive

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.