[Feature Request] Make nested JWT claims available in variable substitutions

[thomasschuerger]

Is your feature request related to a problem? Please describe

It is currently not possible to access nested JWT claims, for example in role DLS queries. Only top-level JWT claims are available in attributes of the form attr.jwt.*, nested claims are ignored. This can be seen when accessing /_plugins/_security/authinfo.

Describe the solution you'd like

Nested JWT claims should be made available as variables using dot notation, e.g. attr.jwt.active_tenant.tenant_id for a JWT claim "tenant_id" nested inside "active_tenant", using any level of nesting.

The same approach could be used for other configurations that access a claim, e.g. the subject_key and the roles_key of config.yml. For example, it should be possible to use roles_key=active_tenant.roles. For roles_key, there is already an alternative approach that uses a list, but there is no such thing for subject_key. Using simple dot notation would be simpler.

Related component

No response

Describe alternatives you've considered

No response

Additional context

No response

[cwperks]

@thomasschuerger thank you for filing this feature request. I'll take a look into the jwt authenticator and see what it would take to implement this.