Document-level security - String array filter

I am trying to setup document level security in Kibana to restrict documents access to specific user IDs.

If I use the following query in plain text, everything is fine :

{
  "query": {
    "ids": {
      "values": ["dkolDnkBy3prm6DJqjkr", "jkolDnkBy3prm6DJuzlJ"]
    }
  }
}

But as soon as I use the following parameter substitution :

{
  "query": {
    "ids": {
      "values": ${attr.jwt.IDs}
    }
  }
}

I get this json_parse_exception : “[ids] failed to parse field [values]”

{
  \"query\": {
    \"ids\": {
      \"values\": [dkolDnkBy3prm6DJqjkr, jkolDnkBy3prm6DJuzlJ]
    }
}

However, my JWT contains the following data :

"IDs": [
  "dkolDnkBy3prm6DJqjkr",
  "jkolDnkBy3prm6DJuzlJ"
]

I understand why Elasticsearch returns the json_parse_exception, but I would like to know why my JWT’s string array is misinterpreted.

Do you have any clue, or know a way to get around this problem?

as you can see in the 2nd example your values are not quoted.

see here: Setting up field and document level security | Elasticsearch Guide [7.10] | Elastic

If your metadata field contains an object or array, you can access it using the {{#toJson}}parameter{{/toJson}} function.

so that means you have to write:

{
  "query": {
    "ids": {
      "values": {{#toJson}}attr.jwt.IDs{{/toJson}}
    }
}

and then it should work.

I have already tried it, without success :confused:

{
  "query": {
    "ids": {
      "values": {{#toJson}}attr.jwt.IDs{{/toJson}}
    }
}

results in

[ids] values doesn't support values of type: START_OBJECT

I understand that the parsing exception is caused by the missing quotes when the query is interpreted.

I do not understand why the quotes, which are present in the JWT, are stripped away when passed as a variable.

I am quite new to ES. Is there any way to see the output of {{#toJson}}attr.jwt.IDs{{/toJson}} to understand where the error occurs?