Templated Roles with Open ID Realm

I am trying to create the templated role, where I want to use the user metadata info to provide user with role access. I am using the document available at
https://www.elastic.co/blog/attribute-based-access-control-with-xpack

I am creating role as

PUT _security/role/d_client_policy
{ 
    "indices": [{
        "names": ["unified_incident_processed"],
        "privileges": ["read"],
        "query": {
            "template": {
                "source": "{\"bool\": {\"filter\": [{\"terms\": {\"CLIENT_ID\": {{#toJson}}_user.metadata.CLIENT_ID{{/toJson}}}}]}}"
            }
        }
    }]
}

As I am using OIDC as the IDP for the application I am trying to add the metadata info the role mapping of for the username as

PUT _security/role_mapping/oidc-kibana_29
{
  "roles": [ "my_policy"],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "username": "useremail@emailid.com" } }
  ] },
  "metadata": {
        "Client_ID": [2181, 3245, 2134]
  }
}

As all this configuration is done at the level of role mapping, in _user this reference is not visible.

My Question is: how we can use the templated roles in with OpenID Realm kind of scenario?

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

You cannot put metadata in the user object in role mapping. When authenticating via OpenID Connect realm though, the user object will get all the OpenID Connect ID Token claims as metadata as we describe here.

So, if your OP can provide this metadata values as an ID Token claim , i.e. named XXXX , then you would be able to use _user.metadata.oidc(XXXX) in your templated roles.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.