OpenIDConnect Integration with Google fails to retrieve roles info

I am testing the OpenDistro plugin’s OpenIDConnect feature on a single node Elastic Cluster for test purposes before I implement it in production. I am using Google Gsuite as our IdP as our organisation uses that. Everything seems to be working fine, except that Google doesn’t seem to send ‘roles’ claim as part of the jwt payload. I can login fine but the user is not associated with any role so access is forbidden with the below error in the browser

"no permissions for [indices:data/read/search] and User [name=SYSADMIN, backend_roles=[], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=SYSADMIN, backend_roles=[], requestedTenant=null]"

and in elasticsearch.log

[2020-03-04T10:46:56,707][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [ubuntu] Failed to get roles from JWT claims with roles_key 'roles'. Check if this key is correct and available in the JWT payload.

I tried looking for ways to retreive additonal information(claims) in google by extending scope but wasnt lucky as Google by default doesnt have roles or groups claim(unlike Keycloak or Microsoft) as part of user info.

So my question is, Can I workaround this issue by relying on internal roles instead of getting them from Google. I tried that by setting authentication_backend as internal for openid in config.yml but wasn’t lucky. Surely, I seem to be missing something for something so simple. Is this plugin not IdP-neutral as regards OpenID?

Hello @rahuls

Have you fixed this issue? What version of ODFE were you testing?
Could you share your Google OID config and config.yml?

Hello @rahuls and @pablo
I’m in the same problem and the opensearch documentation is very poor.
I don’t want to put keycloak in the front to a google authentication.

It was a hard to configure google authentication using OpenID `cause there’s some unexplained parameters. Also, If I enable this authentication the “basic” login page simp[ly desapear and I have only the google page (weird)

Any solution or ideas ?

@aamarques This behaviour is expected, currently you are only able to select one authentication method via kibana, therefore if you selected oidc (Google), the basic auth screen will not appear when accessing kibana, even though basic auth is enabled from elasticsearch side.

Google doesn’t provide any roles, therefore you will not be able to extract these from JWT, to bypass any error regarding roles_key, you can set it to any value that is present in JWT like “given_name”

1 Like

@Anthony Thank’s for explanation… I’ll use Keycloak to give me roles.