Openid based user access changes is not reflecting immediately in elasticsearch

ES version: 7.3.2
I am using OpenID based User Authorization, similar to this documentation, https://www.elastic.co/guide/en/elasticsearch/reference/7.4/oidc-role-mapping.html

If I change any roles, the changes reflect immediately. However, when I change role-mapping of an existing user, the changes are not reflecting immediately, till the user logs out, clear cache cookies and logs in.
Is there something I am doing wrong?

My Role-mapping API:
PUT {{es_ip_port}}/_security/role_mapping/oidc-developer_01?pretty

{
    "roles": [
        "developer",
        "kibana_user",
        "kibana_system",
        "reporting_user"
    ],
    "enabled": true,
    "rules": {
        "all": [
            {
                "field": {
                    "realm.name": "oidc1"
                }
            },
            {
                "field": {
                    "username": [
                        "xyz@wxy.com"
                    ]
                }
            }
        ]
    }
}

developer is my custom role. Please let me know if you need more details.

Can you describe exactly what you mean by "change role-mapping of an existing user" ? Do you create a new role mapping that gives new roles to the user, or do you update an existing role mapping that gives different roles to a user ?
(see below for an updated answer)
The former would not trigger the cache to be cleared but the latter would.

If you want to create new role mappings and have the new roles be effective immediately, then you'd need to either force logout your user and re-authenticate or use the clear cache API for the specific realm and user.

1 Like

Suppose I have developer role provided to one user. Later I gave user-admin role to that user. The changes are not immediate. I understand your point. I need to manually call the _clear_cache API, every time I do this kind of changes. Like:

POST {{es_ip_port}}/_security/realm/oidc1/_clear_cache?usernames=xyz@wxy.com

Thank you for the prompt reply as like always.

I spoke too soon and my answer was not correct. Apologies, let me set this straight:

Both changing an existing role mapping and introducing a new role mapping could potentially trigger a clear of the respective realm cache. This is true for realms like PKI, LDAP, AD etc.

Now, with SSO realms like SAML and OpenID Connect we can't do this as we don't use the cache because of how the SSO flow happens and this is why your changes are not reflected. Calling the _clear_cache API will also have no effect for OpenID Connect, you would need to logout via Kibana and log in again.

1 Like

I just hit:

POST {{es_ip_port}}/_security/realm/oidc1/_clear_cache?usernames=xyz@wxy.com

Nobody able to login to the Kibana now. It's telling unauthorized and state and nonce issue. Opened another topic thread for this. How to resolve this?

As explained above, this should have no effect whatsoever, so this is not related to the other topic you opened. For future reference, it's better to keep your related questions contained in a single topic.

ok, I will keep that in mind.
However, that thread is valid too. As few users were getting that issue before. I will look into that based on your recommendations.