diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java
index 086c3a406b6..37a43ff7993 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java
@@ -14,6 +14,7 @@ import org.elasticsearch.script.Script;
 import org.elasticsearch.script.ScriptService;
 import org.elasticsearch.script.ScriptType;
 import org.elasticsearch.script.TemplateScript;
+import org.elasticsearch.script.mustache.MustacheScriptEngine;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.junit.Before;
@@ -25,6 +26,7 @@ import java.util.HashMap;
 import java.util.Map;
 
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
+import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.sameInstance;
 import static org.mockito.Matchers.any;
@@ -80,7 +82,26 @@ public class SecurityQueryTemplateEvaluatorTests extends ESTestCase {
         userModel.put("roles", Arrays.asList(user.roles()));
         userModel.put("metadata", user.metadata());
         assertThat(usedScript.getParams().get("_user"), equalTo(userModel));
+    }
 
+    public void testDocLevelSecurityTemplateWithOpenIdConnectStyleMetadata() throws Exception {
+        User user = new User(randomAlphaOfLength(8), generateRandomStringArray(5, 5, false), randomAlphaOfLength(9), "sample@example.com",
+            org.elasticsearch.common.collect.Map.of("oidc(email)", "sample@example.com"), true);
+
+        final MustacheScriptEngine mustache = new MustacheScriptEngine();
+
+        when(scriptService.compile(any(Script.class), eq(TemplateScript.CONTEXT))).thenAnswer(inv -> {
+            assertThat(inv.getArguments(), arrayWithSize(2));
+            Script script = (Script) inv.getArguments()[0];
+            TemplateScript.Factory factory = mustache.compile(
+                script.getIdOrCode(), script.getIdOrCode(), TemplateScript.CONTEXT, script.getOptions());
+            return factory;
+        });
+
+        String template = "{ \"template\" : { \"source\" : {\"term\":{\"field\":\"{{_user.metadata.oidc(email)}}\"}} } }";
+
+        String evaluated = SecurityQueryTemplateEvaluator.evaluateTemplate(template, scriptService, user);
+        assertThat(evaluated, equalTo("{\"term\":{\"field\":\"sample@example.com\"}}"));
     }
 
     public void testSkipTemplating() throws Exception {