How to access nested JWT claims in role DLS

thomas.schuerger · October 2, 2025, 7:10am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.2.0

Describe the issue:

My JWTs contain a nested claim that contains the tenant ID of the user:

{
  ...
  "active_tenant": {
    "tenant_id": "<tenant-id>",
    ...
  },
  ...
}

I would like to use this nested claim in a role DLS (document level security), e.g. something like this:

"dls": "{\"bool\":{\"must\":{\"term\":{\"owner\":\"${attr.jwt.active_tenant.tenant_id\"}}}}"

However, this doesn’t seem to be working, the filter always filters everything away. How can I make this nested attribute available in a way so that I can use it in a DLS filter? The filter works fine if I use a constant value instead of a variable. I guess it also works if a top-level claim is used.

Accessing /_plugins/_security/authinfo, I can see that indeed the nested attribute is not listed among the attr.jwt.* attributes, only top-level attributes are listed. I see “attr.jwt.active_tenant” listed, but not “attr.jwt.active_tenant.tenant_id”. Can I somehow map the nested attribute to a top-level attribute and then access it?

Anthony · October 2, 2025, 9:20am

@thomas.schuerger The jwt claims only support top level attributes, as you see using authinfo.

You have 2 options to get this working:

You can use mappers in JWT provider (IDP) to convert it to top level attribute.
You can add this to the roles section, since roles supports nested attributes, (You might find this case useful)

thomas.schuerger · October 2, 2025, 10:45am

Ok, that is obviously a solution, but TBH not a good one. This could be a temporary solution until OpenSearch has a better solution available.
I’m not sure I understand this part. I’m already using the array syntax for roles_key that is supported since version 3.1.0 (because the roles are also a nested attribute inside the active_tenant, that works fine). But how would this help me extracting the tenant_id attribute for the DLS?

How about also making nested attributes available as attr.jwt.*?

Anthony · October 2, 2025, 4:09pm

Regarding the second point, if this is included in the roles claim, you could then create DLS based on the roles received.

Regarding nested attributes for attr.jwt, I would recommend to raise a feature request here

Topic		Replies	Views
Access nested fields in JWT token for [subject_key, roles_key] Security troubleshoot , configure	6	3736	June 18, 2025
Nested claim for JWT auth, can't find roles Security troubleshoot	2	88	September 29, 2025
DLS fails with dynamic variable ${user.attrs.tenant_id} but works with static values Open Source Elasticsearch and Kibana	1	38	October 10, 2025
Document-Layer Security with parameter substitution from JWT token claims doesn't seem to work Security troubleshoot	2	511	June 16, 2023
Monitor with JWT document level security does not propagate jwt claims leading to empty results Alerting	1	425	February 7, 2023

How to access nested JWT claims in role DLS

Related topics