How Elasticsearch does verify JWT tokens?

Elastic Stack Elasticsearch
14

I resolved it.

With setting:

  claims.principal: "preferred_username"
  claims.groups: "roles"

PUT /_security/role_mapping/keycloak_role_mapping
{
  "roles": ["own_pgw_viewer"], 
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": { "metadata.oidc(roles)": "vntadmin" }
      }
    ]
  }
}

So the User field is metadata.oidc(roles)

Then answer from ELK is:

[2024-06-18T13:09:36,783][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [XXX-xxx] effective HTTP connection keep-alive: [180000]ms
[2024-06-18T13:09:36,785][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [XXX-xxx] ID Token Header: {"kid":"6YXXXXXAk","typ":"JWT","alg":"RS256"}
[2024-06-18T13:09:36,794][DEBUG][o.e.x.s.a.o.OpenIdConnectAuthenticator] [XXX-xxx] effective HTTP connection keep-alive: [180000]ms
[2024-06-18T13:09:36,800][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [XXX-xxx] successfully loaded [1] role-mapping(s) from [.security]

[2024-06-18T13:09:36,800][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [XXX-xxx] Mapping user [UserData{username:vnttest; dn:null; groups:[vntadmin]; metadata:{oidc(email)=XXX-xxx, oidc(roles)=["vntadmin"], oidc(typ)=ID, oidc(given_name)=XXX-xxx, oidc(auth_time)=1718708976, oidc(aud)=[elasticsearch], oidc(email_verified)=false, oidc(nonce)=XXX-xxx, oidc(session_state)=4XXX-xxx, oidc(jti)=XXX-xxx, oidc(id_token_hint)=eyJhbGciOiXXX-xxxw, oidc(name)=XXX-xxx, oidc(iss)=https://keycloakXXX-xxx/realms/vnttest, oidc(at_hash)=FWYhXXX-xxxL8ZQ, oidc(family_name)=NXXX-xxx, oidc(sid)=45741eXXX-xxx37, oidc(preferred_username)=vnttest, oidc(acr)=1, oidc(azp)=elasticsearch, oidc(sub)=ffd8e0XXX-xxx5e}; realm=oidc1}] to roles [[own_pgw_viewer]]

[2024-06-18T13:09:36,801][DEBUG][o.e.x.s.a.RealmsAuthenticator] [XXX-xxx] Authentication of [<OIDC Token>] using realm [oidc/oidc1] with token [OpenIdConnectToken] was [AuthenticationResult{status=SUCCESS, value=User[username=vnttest,roles=[own_pgw_viewer],fullName=null,email=null,metadata={oidc(email)=vXXX-xxx, oidc(roles)=["vntadmin"], oidc(typ)=ID, oidc(given_name)=VXXX-xxx, oidc(auth_time)=1718708976, oidc(aud)=[elasticsearch], oidc(email_verified)=false, oidc(nonce)=2A2e6XXX-xxx, oidc(jti)=XXX-xxx, oidc(id_token_hint)=eyXXX-xxx, oidc(name)=XXX-xxx, oidc(iss)=https://keycloak.XXX-xxx/realms/vnttest, oidc(at_hash)=FWXXX-xxx oidc(family_name)=XXX-xxx, oidc(sid)=4574XXX-xxx, oidc(preferred_username)=vnttest, oidc(acr)=1, oidc(azp)=elasticsearch, oidc(sub)=ffXXX-xxx}], message=null, exception=null}]
[2024-06-18T13:09:36,801][DEBUG][o.e.x.s.a.TokenService   ] [XXX-xxx] Using refresh policy [NONE] when creating token doc [token_dsAvk0hANCKkJcALvSGb5rwxHC5MP0fr2fD4obfyYb4] in the security index [.security-tokens]

Thank you!

1 Like