OpenId realm supports the authorization_realms setting

[merlixelastic]

Description of the problem including expected versus actual behavior:
This is a documentation issue about OpenID realm not showing authorization_realms setting support.

Steps to reproduce:

In the security settings, the authorization_realms setting is missing from the Open ID connect realm.
I do see the setting 4 times for the following realms: SAML, LDAP, PKI and Kerberos.
This implies this authorization_realms setting is not valid for OpenID realm hence authorization delegation is not supported.

However the role mapping page shows this setting is in fact supported.

• Could we add edit the security settings to add documenation about authorization_realms setting for OpenID?

Provide logs (if relevant):

[elasticmachine]

Pinging @elastic/es-docs (>docs)

[elasticmachine]

Pinging @elastic/es-security (:Security/Authorization)

[lockewritesdocs]

I'm a little perplexed on this one. @merlixelastic is correct that we indicate support in the Configuring role mappings page for OIDC:

3. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.

However, in Mapping users and groups to roles, there's a note indicating that:

The PKI, LDAP, Kerberos and SAML realms support using authorization realms as an alternative to role mapping.

We explicitly don't mention OpenID Connect. The commit that added this note includes "authorization_realm support in the pki, ldap, saml & kerberos realms". Again, I don't see any mention of OpenID Connect, which appears to be deliberate.

I'm wondering if the page for Configuring role mappings is incorrect, and we should revise or remove this information around configuring authorization_realms for OIDC:

If your users also exist in a repository that can be directly accessed by Elasticsearch (such as an LDAP directory) then you can use authorization realms instead of role mappings.

In this case, you perform the following steps:

1. In your OpenID Connect realm, assign a claim to act as the lookup userid, by configuring the claims.principal setting.
2. Create a new realm that can lookup users from your local repository (e.g. an ldap realm)
3. In your OpenID Connect realm, set authorization_realms to the name of the realm you created in step 2.

cc: @tvernum and @ywangd, who can provide more perspective.

[jkakavas]

We explicitly don't mention OpenID Connect. The commit that added this note includes "authorization_realm support in the pki, ldap, saml & kerberos realms". Again, I don't see any mention of OpenID Connect, which appears to be deliberate.

This is because we didnt have an openid connect realm back then ( it was introduced in 7.2 )

Openid connect supports authorization realms and we should add the missing setting in the reference page. I just missed to add it when adding the oidc docs the first time around, this was not done on purpose.

[lockewritesdocs]

Ah, thanks for the context @jkakavas! I'll get that setting added 👍