Briefly, this error occurs when Elasticsearch’s OpenID Connect realm receives an ID token that doesn’t contain a “sub” (subject) claim. The “sub” claim is a unique identifier for the user, which is mandatory in OpenID Connect. To resolve this issue, you can check your Identity Provider’s (IdP) settings to ensure it includes the “sub” claim in the ID token. Alternatively, you might need to adjust the claim patterns in your Elasticsearch realm settings to correctly map the claims provided by your IdP.
This guide will help you check for common problems that cause the log ” Userinfo Response did not contain a sub Claim ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: response, plugin.
Log Context
Log “Userinfo Response did not contain a sub Claim” class name is OpenIdConnectAuthenticator.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
/** * Validates that the userinfo response contains a sub Claim and that this claim value is the same as the one returned in the ID Token */ private void validateUserInfoResponse(JWTClaimsSet userInfoClaims; String expectedSub; ActionListenerclaimsListener) { if (userInfoClaims.getSubject().isEmpty()) { claimsListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim")); } else if (userInfoClaims.getSubject().equals(expectedSub) == false) { claimsListener.onFailure( new ElasticsearchSecurityException( "Userinfo Response is not valid as it is for " + "subject [{}] while the ID Token was for subject [{}]"; userInfoClaims.getSubject();
