diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts index ad7eab76db088..dd4f6820f89f3 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts @@ -42,7 +42,7 @@ describe('OIDCAuthenticationProvider', () => { describe('`login` method', () => { it('redirects third party initiated login attempts to the OpenId Connect Provider.', async () => { - const request = httpServerMock.createKibanaRequest({ path: '/api/security/oidc' }); + const request = httpServerMock.createKibanaRequest({ path: '/api/security/oidc/callback' }); mockOptions.client.callAsInternalUser.withArgs('shield.oidcPrepare').resolves({ state: 'statevalue', @@ -205,13 +205,14 @@ describe('OIDCAuthenticationProvider', () => { describe('authorization code flow', () => { defineAuthenticationFlowTests(() => ({ request: httpServerMock.createKibanaRequest({ - path: '/api/security/oidc?code=somecodehere&state=somestatehere', + path: '/api/security/oidc/callback?code=somecodehere&state=somestatehere', }), attempt: { flow: OIDCAuthenticationFlow.AuthorizationCode, - authenticationResponseURI: '/api/security/oidc?code=somecodehere&state=somestatehere', + authenticationResponseURI: + '/api/security/oidc/callback?code=somecodehere&state=somestatehere', }, - expectedRedirectURI: '/api/security/oidc?code=somecodehere&state=somestatehere', + expectedRedirectURI: '/api/security/oidc/callback?code=somecodehere&state=somestatehere', })); }); @@ -219,7 +220,7 @@ describe('OIDCAuthenticationProvider', () => { defineAuthenticationFlowTests(() => ({ request: httpServerMock.createKibanaRequest({ path: - '/api/security/oidc?authenticationResponseURI=http://kibana/api/security/oidc/implicit#id_token=sometoken', + '/api/security/oidc/callback?authenticationResponseURI=http://kibana/api/security/oidc/implicit#id_token=sometoken', }), attempt: { flow: OIDCAuthenticationFlow.Implicit, diff --git a/x-pack/plugins/security/server/routes/authentication/oidc.ts b/x-pack/plugins/security/server/routes/authentication/oidc.ts index ee9c2b46ac878..232fdd26f7838 100644 --- a/x-pack/plugins/security/server/routes/authentication/oidc.ts +++ b/x-pack/plugins/security/server/routes/authentication/oidc.ts @@ -23,7 +23,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route /** * The route should be configured as a redirect URI in OP when OpenID Connect implicit flow * is used, so that we can extract authentication response from URL fragment and send it to - * the `/api/security/oidc` route. + * the `/api/security/oidc/callback` route. */ router.get( { @@ -57,7 +57,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route /** * The route that accompanies `/api/security/oidc/implicit` and renders a JavaScript snippet - * that extracts fragment part from the URL and send it to the `/api/security/oidc` route. + * that extracts fragment part from the URL and send it to the `/api/security/oidc/callback` route. * We need this separate endpoint because of default CSP policy that forbids inline scripts. */ router.get( @@ -72,7 +72,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route createCustomResourceResponse( ` window.location.replace( - '${serverBasePath}/api/security/oidc?authenticationResponseURI=' + encodeURIComponent(window.location.href) + '${serverBasePath}/api/security/oidc/callback?authenticationResponseURI=' + encodeURIComponent(window.location.href) ); `, 'text/javascript', @@ -83,7 +83,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route ); // Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used. - for (const path of ['/api/security/oidc', '/api/security/v1/oidc']) { + for (const path of ['/api/security/oidc/callback', '/api/security/v1/oidc']) { router.get( { path, @@ -124,7 +124,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route } else if (request.query.code || request.query.error) { if (path === '/api/security/v1/oidc') { logger.warn( - `The "${serverBasePath}${path}" URL is deprecated and will stop working in the next major version, please use "${serverBasePath}/api/security/oidc" URL instead.`, + `The "${serverBasePath}${path}" URL is deprecated and will stop working in the next major version, please use "${serverBasePath}/api/security/oidc/callback" URL instead.`, { tags: ['deprecation'] } ); } diff --git a/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js b/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js index 9556693d2fd7c..57bcd1b041c49 100644 --- a/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js +++ b/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js @@ -125,14 +125,14 @@ export default function({ getService }) { it('should fail if OpenID Connect response is not complemented with handshake cookie', async () => { await supertest - .get(`/api/security/oidc?code=thisisthecode&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=thisisthecode&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .expect(401); }); it('should fail if state is not matching', async () => { await supertest - .get(`/api/security/oidc?code=thisisthecode&state=someothervalue`) + .get(`/api/security/oidc/callback?code=thisisthecode&state=someothervalue`) .set('kbn-xsrf', 'xxx') .set('Cookie', handshakeCookie.cookieString()) .expect(401); @@ -140,7 +140,7 @@ export default function({ getService }) { it('should succeed if both the OpenID Connect response and the cookie are provided', async () => { const oidcAuthenticationResponse = await supertest - .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .set('Cookie', handshakeCookie.cookieString()) .expect(302); @@ -195,7 +195,7 @@ export default function({ getService }) { .expect(200); const oidcAuthenticationResponse = await supertest - .get(`/api/security/oidc?code=code2&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=code2&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .set('Cookie', handshakeCookie.cookieString()) .expect(302); @@ -245,7 +245,7 @@ export default function({ getService }) { .expect(200); const oidcAuthenticationResponse = await supertest - .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .set('Cookie', sessionCookie.cookieString()) .expect(302); @@ -320,7 +320,7 @@ export default function({ getService }) { .expect(200); const oidcAuthenticationResponse = await supertest - .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .set('Cookie', handshakeCookie.cookieString()) .expect(302); @@ -409,7 +409,7 @@ export default function({ getService }) { .expect(200); const oidcAuthenticationResponse = await supertest - .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .set('Cookie', handshakeCookie.cookieString()) .expect(302); @@ -499,7 +499,7 @@ export default function({ getService }) { .expect(200); const oidcAuthenticationResponse = await supertest - .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`) + .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`) .set('kbn-xsrf', 'xxx') .set('Cookie', handshakeCookie.cookieString()) .expect(302); diff --git a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts index 0e07f01776713..630ec2792b9bf 100644 --- a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts +++ b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts @@ -66,7 +66,7 @@ export default function({ getService }: FtrProviderContext) { // Check that script that forwards URL fragment worked correctly. expect(dom.window.location.href).to.be( - '/api/security/oidc?authenticationResponseURI=https%3A%2F%2Fkibana.com%2Fapi%2Fsecurity%2Foidc%2Fimplicit%23token%3Dsome_token%26access_token%3Dsome_access_token' + '/api/security/oidc/callback?authenticationResponseURI=https%3A%2F%2Fkibana.com%2Fapi%2Fsecurity%2Foidc%2Fimplicit%23token%3Dsome_token%26access_token%3Dsome_access_token' ); }); @@ -76,7 +76,7 @@ export default function({ getService }: FtrProviderContext) { await supertest .get( - `/api/security/oidc?authenticationResponseURI=${encodeURIComponent( + `/api/security/oidc/callback?authenticationResponseURI=${encodeURIComponent( authenticationResponse )}` ) @@ -90,7 +90,7 @@ export default function({ getService }: FtrProviderContext) { await supertest .get( - `/api/security/oidc?authenticationResponseURI=${encodeURIComponent( + `/api/security/oidc/callback?authenticationResponseURI=${encodeURIComponent( authenticationResponse )}` ) @@ -106,7 +106,7 @@ export default function({ getService }: FtrProviderContext) { const oidcAuthenticationResponse = await supertest .get( - `/api/security/oidc?authenticationResponseURI=${encodeURIComponent( + `/api/security/oidc/callback?authenticationResponseURI=${encodeURIComponent( authenticationResponse )}` ) diff --git a/x-pack/test/oidc_api_integration/config.ts b/x-pack/test/oidc_api_integration/config.ts index 184ccbcdfa691..724ffd35cc9e3 100644 --- a/x-pack/test/oidc_api_integration/config.ts +++ b/x-pack/test/oidc_api_integration/config.ts @@ -32,7 +32,7 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) { `xpack.security.authc.realms.oidc.oidc1.rp.client_id=0oa8sqpov3TxMWJOt356`, `xpack.security.authc.realms.oidc.oidc1.rp.client_secret=0oa8sqpov3TxMWJOt356`, `xpack.security.authc.realms.oidc.oidc1.rp.response_type=code`, - `xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri=http://localhost:${kibanaPort}/api/security/oidc`, + `xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri=http://localhost:${kibanaPort}/api/security/oidc/callback`, `xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint=https://test-op.elastic.co/oauth2/v1/authorize`, `xpack.security.authc.realms.oidc.oidc1.op.endsession_endpoint=https://test-op.elastic.co/oauth2/v1/endsession`, `xpack.security.authc.realms.oidc.oidc1.op.token_endpoint=http://localhost:${kibanaPort}/api/oidc_provider/token_endpoint`,