From a3063889a28c3fa92b6621a2ec84c58a895307d5 Mon Sep 17 00:00:00 2001 From: Lyudmila Fokina <35386883+BigPandaToo@users.noreply.github.com> Date: Mon, 16 Nov 2020 19:10:01 +0100 Subject: [PATCH] Adds realm name OIDC `_security/oidc/prepare` and `_security/oidc/authenticate` APIs responses (#64966) * This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 * This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 * This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 * This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 Co-authored-by: Elastic Machine --- .../security/oidc-authenticate-api.asciidoc | 2 +- .../oidc-prepare-authentication-api.asciidoc | 19 ++++++++------- ...dConnectPrepareAuthenticationResponse.java | 24 +++++++++++++++++-- .../authc/oidc/OpenIdConnectRealm.java | 2 +- .../authc/oidc/OpenIdConnectRealmTests.java | 5 ++++ 5 files changed, 40 insertions(+), 12 deletions(-) diff --git a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc index 14d0f2cf7023d..49315814e1719 100644 --- a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc @@ -58,7 +58,7 @@ be used to authenticate this. Useful when multiple realms have been defined. The following example request exchanges the response that was returned from the OpenID Connect Provider after a successful authentication, for an {es} access -token and refresh token to be used in subsequent requests. This example is from +token and refresh token to be used in subsequent requests. This example is from an authentication that uses the authorization code grant flow. [source,console] diff --git a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc index 424ed51742f8f..e4cb6b05d5534 100644 --- a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc @@ -3,7 +3,7 @@ === OpenID Connect Prepare Authentication API Creates an oAuth 2.0 authentication request as a URL string based on the -configuration of the respective OpenID Connect authentication realm in {es}. +configuration of the respective OpenID Connect authentication realm in {es}. [[security-api-oidc-prepare-authentication-request]] ==== {api-request-title} @@ -16,13 +16,13 @@ configuration of the respective OpenID Connect authentication realm in {es}. [[security-api-oidc-prepare-authentication-desc]] ==== {api-description-title} -The response of this API is a URL pointing to the Authorization Endpoint of the -configured OpenID Connect Provider and can be used to redirect the browser of +The response of this API is a URL pointing to the Authorization Endpoint of the +configured OpenID Connect Provider and can be used to redirect the browser of the user in order to continue the authentication process. {es} exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by {kib} in order to provide -OpenID Connect based authentication, but can also be used by other, custom web +OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. See also <> and <>. @@ -81,7 +81,8 @@ the Authentication Request, as HTTP GET parameters: { "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp", "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I", - "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM" + "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM", + "realm" : "oidc1" } -------------------------------------------------- // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/] @@ -109,7 +110,8 @@ the Authentication Request, as HTTP GET parameters: { "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp", "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO", - "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5" + "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5", + "realm" : "oidc1" } -------------------------------------------------- @@ -134,8 +136,9 @@ the Authentication Request, as HTTP GET parameters: { "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp", "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I", - "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM" + "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM", + "realm" : "oidc1" } -------------------------------------------------- // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/] -// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/] \ No newline at end of file +// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java index 34ccabaf0c297..a4462eac4099b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.core.security.action.oidc; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionResponse; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.io.stream.StreamOutput; @@ -28,11 +29,16 @@ public class OpenIdConnectPrepareAuthenticationResponse extends ActionResponse i * String value used to associate a Client session with an ID Token, and to mitigate replay attacks. */ private String nonce; + /* + * String value: name of the realm used to perform authentication. + */ + private String realmName; - public OpenIdConnectPrepareAuthenticationResponse(String authorizationEndpointUrl, String state, String nonce) { + public OpenIdConnectPrepareAuthenticationResponse(String authorizationEndpointUrl, String state, String nonce, String realmName) { this.authenticationRequestUrl = authorizationEndpointUrl; this.state = state; this.nonce = nonce; + this.realmName = realmName; } public OpenIdConnectPrepareAuthenticationResponse(StreamInput in) throws IOException { @@ -40,6 +46,9 @@ public OpenIdConnectPrepareAuthenticationResponse(StreamInput in) throws IOExcep authenticationRequestUrl = in.readString(); state = in.readString(); nonce = in.readString(); + if (in.getVersion().onOrAfter(Version.V_7_11_0)) { + realmName = in.readString(); + } } public String getAuthenticationRequestUrl() { @@ -54,15 +63,23 @@ public String getNonce() { return nonce; } + public String getRealmName() { + return realmName; + } + @Override public void writeTo(StreamOutput out) throws IOException { out.writeString(authenticationRequestUrl); out.writeString(state); out.writeString(nonce); + if (out.getVersion().onOrAfter(Version.V_7_11_0)) { + out.writeString(realmName); + } } public String toString() { - return "{authenticationRequestUrl=" + authenticationRequestUrl + ", state=" + state + ", nonce=" + nonce + "}"; + return "{authenticationRequestUrl=" + authenticationRequestUrl + ", state=" + state + ", nonce=" + + nonce + ", realmName" + realmName + "}"; } @Override @@ -71,6 +88,9 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws builder.field("redirect", authenticationRequestUrl); builder.field("state", state); builder.field("nonce", nonce); + if(realmName != null){ + builder.field("realm", realmName); + } builder.endObject(); return builder; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java index 2fbdf57ca05fe..e00f466457f94 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java @@ -363,7 +363,7 @@ public OpenIdConnectPrepareAuthenticationResponse buildAuthenticationRequestUri( builder.loginHint(loginHint); } return new OpenIdConnectPrepareAuthenticationResponse(builder.build().toURI().toString(), - state.getValue(), nonce.getValue()); + state.getValue(), nonce.getValue(), this.name()); } public boolean isIssuerValid(String issuer) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index 1f8c291e20005..9db84ca89b3c3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -269,6 +269,7 @@ public void testBuildRelyingPartyConfigWithoutOpenIdScope() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=scope1+scope2+openid&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuildingAuthenticationRequest() { @@ -292,6 +293,7 @@ public void testBuildingAuthenticationRequest() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid+scope1+scope2&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuilidingAuthenticationRequestWithDefaultScope() { @@ -313,6 +315,7 @@ public void testBuilidingAuthenticationRequestWithDefaultScope() { final String nonce = response.getNonce(); assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuildLogoutResponse() throws Exception { @@ -370,6 +373,7 @@ public void testBuildingAuthenticationRequestWithExistingStateAndNonce() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuildingAuthenticationRequestWithLoginHint() { @@ -394,6 +398,7 @@ public void testBuildingAuthenticationRequestWithLoginHint() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?login_hint=" + thehint + "&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } private AuthenticationResult authenticateWithOidc(String principal, UserRoleMapper roleMapper, boolean notPopulateMetadata,