OpenID Connect - debug payload

plotek · November 26, 2020, 1:04pm

Hi!

I have a problem with getting roles from the JWT payload. I got the error in Elasticsearch logs:

c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [elasticsearch] Failed to get roles from JWT claims with roles_key 'roles'. Check if this key is correct and available in the JWT payload.

It seems that my provider doesn’t include roles information to JWT but this information is available by another endpoint /userinfo. But I would like to check this by debugging what includes the JWT token. So I have a question is there any possibility to achieve this?

Anthony · August 12, 2021, 4:37pm

@plotek It would seem this should be possible using below lines in log4j2.properties file:

logger.opendistro_security.name = com.amazon.dlic.auth.http.jwt
logger.opendistro_security.level = trace

However I have not been able to get the actual JWT produced.

I would recommend to raise a bug ticket for the dev team using below:

Topic		Replies	Views
Tracing JWT authentication for OpenID and debugging the JWT payload do not work Security	3	363	December 7, 2023
OpenIDConnect Integration with Google fails to retrieve roles info Security	4	875	September 20, 2021
Roles key warnings Security troubleshoot	3	267	December 5, 2023
ES is not able to find "roles" in JWT payload from Okta OpenID Security	4	2302	August 11, 2021
OpenID Connect. Authentication finally failed Security	2	2970	April 16, 2021

OpenID Connect - debug payload

Related topics