OIDC role mapping not working

natharran · January 10, 2024, 12:29pm

Hello all,

I'm experiencing a problem with role mapping after successful OIDC authentication. My OP provides ID Token where the following data about user can be found (copied from ES log):

\"resource_access\":{\"kibana\":{\"roles\":[\"administrator\"]}}

In accordance with ES documentation, I put the following line to OIDC realm definition in ES configuration (docker compose environment section):

- xpack.security.authc.realms.oidc.oidc1.claims.groups=resource_access.kibana.roles

And i created my role mapping like this:

PUT _security/role_mapping/oidc-users
{
  "enabled": true,
    "roles": [
      "superuser",
      "monitoring_user",
      "kibana_admin",
      "editor"
    ],
    "rules": {
      "all": [
        {"field": {"realm.name": "oidc1"}},
        {"field": {"groups": "administrator"}}
      ]
    }
}

However, this doesn't work. Replacing the "groups" in role mapping definition with "resource_access.kibana.roles" also doesn't work. What does work is any other field from ID token, but I need to get to this specific array. Could someone please tell me how?

Thank you.

natharran · January 11, 2024, 3:23pm

Does Elasticsearch even support nested objects in OIDC ID Token? Is it able to parse them? I haven't found this information in the documentation.

natharran · January 22, 2024, 10:28am

OK, so I figured out that ES doesn't support nested objects in ID Token. Solved by propagating Keycloak user roles as top-level array.

system · February 19, 2024, 10:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.