I am trying to use the OpenId Connect authentication and have the set the ‘roles_key: profile’ in the sg_config.yml
When i try to login with user 123456 who is part of 2 backed roles role_appA and role_appB, the user role is received through the access_token scope. But I still get an error while accessing Kibana
{“message”:“no permissions for [indices:data/read/search] and User [name=123456, backend_roles=[role_appA], [role_appB], requestedTenant=]: [security_exception] no permissions for [indices:data/read/search] and User [name=123456, backend_roles=[role_appA], [role_appB], requestedTenant=]”,“statusCode”:403,“error”:“Forbidden”}
The backend_roles should be an array according to me and hence should look something like User [name=123456, backend_roles=[role_appA, role_appB], requestedTenant=]
I have also the correct role_mapping done in the searchguard configuration for role_appA.
Hello @hsaly,
I have attached the requested files for review.
In this particular scenario, the user with one role still works(tested). Only users have multiple roles are having trouble.
It looks like the value of the “profile” claim is somehow strange.
Search Guard expect a comma separated list of roles like: rolea, roleb, rolec
Do you see any log entry on WARN level starting with “Expected type String or Collection for roles in the JWT” in your logs?
Can you pls check what the raw value of “profile” is or provide the JWT token?
I checked the raw value of “profile” and it is comma separated string. But the error message i get the profiles as 2 separate array.
I checked the logs and could find any warning message.