---
title: "用户信息响应不包含sub声明 - 如何解决此 Elasticsearch 异常"
date: 2026-03-21
lastmod: 2026-03-21
description: "Elasticsearch的OpenID Connect领域收到的ID令牌不包含sub声明导致的错误及解决方案"
tags: ["Elasticsearch", "OpenID Connect", "身份验证", "声明"]
summary: "版本： 7.2-8.9
 简而言之，当Elasticsearch的OpenID Connect领域收到的ID令牌不包含"sub"（subject）声明时，就会出现此错误。“sub"声明是用户的唯一标识符，在OpenID Connect中是必需的。要解决此问题，您可以检查身份提供者（IdP）的设置以确保它在ID令牌中包含"sub"声明。或者，您可能需要调整Elasticsearch领域设置中的声明模式以正确映射IdP提供的声明。
日志上下文 #  日志"Userinfo Response did not contain a sub Claim"的类名是 OpenIdConnectAuthenticator.java。我们从Elasticsearch源代码中提取了以下内容，供那些寻求深入上下文的人使用：
/** * Validates that the userinfo response contains a sub Claim and that this claim value is the same as the one returned in the ID Token */ private void validateUserInfoResponse(JWTClaimsSet userInfoClaims; String expectedSub; ActionListenerclaimsListener) { if (userInfoClaims.getSubject().isEmpty()) { claimsListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim")); } else if (userInfoClaims."
---



> **版本：** 7.2-8.9

简而言之，当Elasticsearch的OpenID Connect领域收到的ID令牌不包含"sub"（subject）声明时，就会出现此错误。"sub"声明是用户的唯一标识符，在OpenID Connect中是必需的。要解决此问题，您可以检查身份提供者（IdP）的设置以确保它在ID令牌中包含"sub"声明。或者，您可能需要调整Elasticsearch领域设置中的声明模式以正确映射IdP提供的声明。

## 日志上下文

日志"Userinfo Response did not contain a sub Claim"的类名是[OpenIdConnectAuthenticator.java](https://www.geeksforgeeks.org/java-lang-class-class-java-set-1/)。我们从Elasticsearch源代码中提取了以下内容，供那些寻求深入上下文的人使用：

```java
/**
 * Validates that the userinfo response contains a sub Claim and that this claim value is the same as the one returned in the ID Token
 */
 private void validateUserInfoResponse(JWTClaimsSet userInfoClaims; String expectedSub; ActionListenerclaimsListener) {
 if (userInfoClaims.getSubject().isEmpty()) {
 claimsListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim"));
 } else if (userInfoClaims.getSubject().equals(expectedSub) == false) {
 claimsListener.onFailure(
 new ElasticsearchSecurityException(
 "Userinfo Response is not valid as it is for " + "subject [{}] while the ID Token was for subject [{}]";
 userInfoClaims.getSubject();
```