OIDC role mapping not working

Hello all,

I'm experiencing a problem with role mapping after successful OIDC authentication. My OP provides ID Token where the following data about user can be found (copied from ES log):

\"resource_access\":{\"kibana\":{\"roles\":[\"administrator\"]}}

In accordance with ES documentation, I put the following line to OIDC realm definition in ES configuration (docker compose environment section):

- xpack.security.authc.realms.oidc.oidc1.claims.groups=resource_access.kibana.roles

And i created my role mapping like this:

PUT _security/role_mapping/oidc-users
{
  "enabled": true,
    "roles": [
      "superuser",
      "monitoring_user",
      "kibana_admin",
      "editor"
    ],
    "rules": {
      "all": [
        {"field": {"realm.name": "oidc1"}},
        {"field": {"groups": "administrator"}}
      ]
    }
}

However, this doesn't work. Replacing the "groups" in role mapping definition with "resource_access.kibana.roles" also doesn't work. What does work is any other field from ID token, but I need to get to this specific array. Could someone please tell me how?

Thank you.

Does Elasticsearch even support nested objects in OIDC ID Token? Is it able to parse them? I haven't found this information in the documentation.

OK, so I figured out that ES doesn't support nested objects in ID Token. Solved by propagating Keycloak user roles as top-level array.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.