Userinfo Response did not contain a sub Claim – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.2-8.9

Briefly, this error occurs when Elasticsearch’s OpenID Connect realm receives an ID token that doesn’t contain a “sub” (subject) claim. The “sub” claim is a unique identifier for the user, which is mandatory in OpenID Connect. To resolve this issue, you can check your Identity Provider’s (IdP) settings to ensure it includes the “sub” claim in the ID token. Alternatively, you might need to adjust the claim patterns in your Elasticsearch realm settings to correctly map the claims provided by your IdP.

This guide will help you check for common problems that cause the log ” Userinfo Response did not contain a sub Claim ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: response, plugin.

Log Context

Log “Userinfo Response did not contain a sub Claim” class name is We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 * Validates that the userinfo response contains a sub Claim and that this claim value is the same as the one returned in the ID Token
 private void validateUserInfoResponse(JWTClaimsSet userInfoClaims; String expectedSub; ActionListener claimsListener) {
 if (userInfoClaims.getSubject().isEmpty()) {
 claimsListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim"));
 } else if (userInfoClaims.getSubject().equals(expectedSub) == false) {
 new ElasticsearchSecurityException(
 "Userinfo Response is not valid as it is for " + "subject [{}] while the ID Token was for subject [{}]";