I am testing the OpenDistro plugin’s OpenIDConnect feature on a single node Elastic Cluster for test purposes before I implement it in production. I am using Google Gsuite as our IdP as our organisation uses that. Everything seems to be working fine, except that Google doesn’t seem to send ‘roles’ claim as part of the jwt payload. I can login fine but the user is not associated with any role so access is forbidden with the below error in the browser
"no permissions for [indices:data/read/search] and User [name=SYSADMIN, backend_roles=, requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=SYSADMIN, backend_roles=, requestedTenant=null]"
and in elasticsearch.log
[2020-03-04T10:46:56,707][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [ubuntu] Failed to get roles from JWT claims with roles_key 'roles'. Check if this key is correct and available in the JWT payload.
I tried looking for ways to retreive additonal information(claims) in google by extending scope but wasnt lucky as Google by default doesnt have roles or groups claim(unlike Keycloak or Microsoft) as part of user info.
So my question is, Can I workaround this issue by relying on internal roles instead of getting them from Google. I tried that by setting authentication_backend as internal for openid in config.yml but wasn’t lucky. Surely, I seem to be missing something for something so simple. Is this plugin not IdP-neutral as regards OpenID?