Handle roles in nested claim for JWT auth backends

[cwperks]

Description

This PR abstracts the roles_key configuration from jwt-backed auth backends to handle a list as config to get roles within nested claims of a JWT payload.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

Resolves #5343

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 79.48718% with 8 lines in your changes missing coverage. Please review.

Project coverage is 72.14%. Comparing base (a23b35c) to head (be0ce06).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...h/security/auth/http/jwt/HTTPJwtAuthenticator.java	82.75%	3 Missing and 2 partials ⚠️
...ty/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	70.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5355      +/-   ##
==========================================
- Coverage   72.15%   72.14%   -0.01%     
==========================================
  Files         382      382              
  Lines       23674    23697      +23     
  Branches     3640     3644       +4     
==========================================
+ Hits        17081    17097      +16     
- Misses       4798     4802       +4     
- Partials     1795     1798       +3     

Files with missing lines	Coverage Δ
...ty/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	61.61% <70.00%> (+1.17%)	⬆️
...h/security/auth/http/jwt/HTTPJwtAuthenticator.java	78.83% <82.75%> (-1.50%)	⬇️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Yusuf-Uzun]

Thanks @cwperks for the contribution — I’ve merged your changes into my local cluster and conducted some testing.

Here’s how I configured the roles_key:

roles_key: 
  - test.attributes
  - test.roles

And for roles_mapping:

all_access:
  reserved: false
  backend_roles:
    - "admin"
    - "Administrator"

For reference, this is the structure of my JWT:

test.attributes: {
  "test.roles": ["Administrator"]
}

I verified the assigned permissions using curl, and as shown in the screenshot below, the backend_roles were correctly mapped to Administrator, granting me the all_access role as expected:

curl "https://localhost:9200/_plugins/_security/authinfo" --insecure -H "Authorization: Bearer <jwt_token>"
{"user":"User [name=d2a9567f-6d54-47f0-835f-f0420d27c854, backend_roles=[Administrator],
 requestedTenant=null]","user_name":"d2a9567f-6d54-47f0-835f-f0420d27c854","user_requested_tenant":null,"remote_address":"[::1]:49286","backend_roles":
["Administrator"],"custom_attribute_names":
["attr.jwt.grant_type","attr.jwt.iss","attr.jwt.auth_time","attr.jwt.user_uuid","attr.jwt.given_name","attr.jwt.aud","attr.jwt.ext_attr"
,"attr.jwt.user_name","attr.jwt.user_id","attr.jwt.family_name","attr.jwt.azp","attr.jwt.zid","attr.jwt.scope","attr.jwt.sub","attr.jwt.test.attributes"
,"attr.jwt.client_id","attr.jwt.origin","attr.jwt.exp","attr.jwt.iat","attr.jwt.jti","attr.jwt.cid","attr.jwt.email","attr.jwt.rev_sig"],"roles":
["own_index","all_access"],"tenants":{"global_tenant":true,"admin_tenant":true,"d2a9567f-6d54-47f0-835f-
f0420d27c854":true},"principal":null,"peer_certificates":"0","sso_logout_url":null}

This change works seamlessly 👍

[cwperks]

Thank you for confirming @Yusuf-Uzun !

[willyborankin]

LGTM

[cwperks]

Resolve conflict in CHANGELOG

[shikharj05]

Nice work @cwperks ! thanks :)

[cwperks]

We should take the same approach from this PR to abstract subject_key as well. I see a request from the forums: https://forum.opensearch.org/t/access-nested-fields-in-jwt-token-for-subject-key-roles-key/811/7