OpenID Connect implements Authentication correctly but NOT Authorization with IdP

We are using Open Distro 1.4.0 with Keycloak 4.3.0 and successfully performing role-based User Authentication.

In our Keycloak IdP, we also enforce policy-based authorization access to company resources. This means that all our OpenID Connect clients MUST perform authorization requests and obtain an RPT (Requesting Party Token) with all user permissions.
Its through this mechanism that Keycloak can grant / deny access.

Unfortunately, it appears that the OpenDistro Elasticsearch security plugin does not perform this “Authorization” step AFTER authenticating using the JWT.
I searched both “GitHub - opendistro-for-elasticsearch/security” and “GitHub - opendistro-for-elasticsearch/security-kibana-plugin” for the mandatory grant_type “urn:ietf:params:oauth:grant-type:uma-ticket” when performing this operation without any luck.

So as it stands, as long as the user correctly enters their username/password. Keycloak can block access to Kibana.

Surely, this is an oversight.

Is this a feature that can be turned ON from within config.yml and kibana.yml?

Does any developer know why this was not implemented as i was sure it’s part of the specification? Anyone know?

Hello @lmit

Do you still have this issue? Did you test with the latest version of ODFE?