[BUG] Support roles in a nested claim within JWT

[cwperks]

What is the bug?

While uncommon, its possible for JWT claims to contain nested objects. i.e.

{
    "sub": "craig",
    "attributes": {
        "roles": "roleA,roleB"
    }
}

With JWT auth, its not possible to configure any JWT-backed auth backend to extract the backend roles from such a structure. When configuring the rolesKey on any JWT-backed auth backend, it assumes that the roles are a top-level claim of the JWT payload.

Additional Context:

All JWT-backend auth backend extend the AbstractHttpJwtAuthenticator which has an extractRoles method.

This backend assumes that the roles are either comma-separated string or an array of strings.

The rolesKey could be abstracted to support nesting.

[cwperks]

To support this I think we can support configuring rolesKey with a list in addition to the existing string. If configured with a list, then we can assume to extract roles from a nested object.

i.e. For the above example it could be configured with rolesKey: ['attributes', 'roles']

[KarstenSchnitter]

Thanks for creating this issue. Note, that for us, dots in the rolesKey names would need to be supported:

{
    "sub": "karsten",
    "attributes": {
        "roles.assigned": "roleA,roleB"
    }
}

The array could work for this. Other options would be:

• The OpenSearch index standard for JSON traversal, which would support the dot: rolesKey: attributes.roles.assigned
• JsonPath: $.attributes["roles.assigned"]

I am not sure, what would be easier to understand or implement.