Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID Connect realm support #35339

Closed
9 tasks done
jkakavas opened this issue Nov 7, 2018 · 2 comments
Closed
9 tasks done

OpenID Connect realm support #35339

jkakavas opened this issue Nov 7, 2018 · 2 comments
Assignees
@jkakavas
Labels
>feature Meta :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.2.0

Comments

@jkakavas
Copy link
Member

jkakavas commented Nov 7, 2018
edited
Loading

This issue tracks the effort to offer an OpenID Connect authentication realm in Elasticsearch.

Relevant specifications:

Elasticsearch will implement and OpenID Connect Relying Party (RP). The initial idea is that this will be handled in a similar way to the SAML Authentication realm where

  • Elasticsearch will implement all the necessary OpenID Connect related functionality
  • Elasticsearch will expose the necessary REST API endpoints
  • Users will be able to authenticate with OIDC via a facilitator which can be Kibana (in which case the Elastic stack is the RP) or a custom web application
  • At the successful completion of an OIDC flow, Elasticsearch will exchange the OIDC ID token it receives from an OIDC Provider with an Elasticsearch token that can be used to authenticate future requests to Elasticsearch.

Tasks :

  • Support for oAuth2 implicit flow ( as a client )
  • Support for oAuth2 authorization code flow ( as a client )
  • Support client (ES) authentication.
  • Support OP discovery and static OP configuration
  • JWS and JWE support
  • OIDC Rest endpoints for facilitator communication
  • ID token parsing and validation
  • Support for requests to the userinfo endpoint
  • Map claims to attributes ( and thus roles )
  • Submit request for the OpenID Foundation conformance certification
  • Support dynamic registration with an OP
@jkakavas jkakavas added >feature Meta v7.0.0 :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Nov 7, 2018
@jkakavas jkakavas self-assigned this Nov 7, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas jkakavas mentioned this issue Dec 28, 2018
Merged
@jkakavas jkakavas mentioned this issue Jan 9, 2019
Closed
jkakavas added a commit that referenced this issue Jan 18, 2019
@jkakavas
OpenID Connect Realm base functionality (#37009)
8d54639 
This commit adds

* An OpenID Connect Realm definition
* Necessary OpenID Connect Realm settings to support Authorization code
 grant and Implicit grant flows
* Rest and Transport Action and Request/Response objects for initiating and
 completing the authentication flow
* Functionality for generating OIDC Authentication Request URIs Unit tests

Notably missing (to be handled in subsequent PRs):
* The actual implementation of the authentication flows
* Necessary JW{T,S,E} functionality

Relates: #35339
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Jan 20, 2019
@jkakavas
OpenID Connect Realm base functionality (elastic#37009)
63e9e46 
This commit adds

* An OpenID Connect Realm definition
* Necessary OpenID Connect Realm settings to support Authorization code
 grant and Implicit grant flows
* Rest and Transport Action and Request/Response objects for initiating and
 completing the authentication flow
* Functionality for generating OIDC Authentication Request URIs Unit tests

Notably missing (to be handled in subsequent PRs):
* The actual implementation of the authentication flows
* Necessary JW{T,S,E} functionality

Relates: elastic#35339
@jasontedor jasontedor added v8.0.0 and removed v7.0.0 labels Feb 6, 2019
@tvernum tvernum mentioned this issue Apr 9, 2019
Closed
@colings86 colings86 added v7.2.0 and removed v7.2.0 labels Apr 12, 2019
@jkakavas jkakavas added v7.2.0 and removed v8.0.0 labels Apr 15, 2019
@jakelandis jakelandis added v7.3.0 and removed v7.2.0 labels Jun 17, 2019
@jkakavas jkakavas added v7.2.0 and removed v7.3.0 labels Jun 27, 2019
@jkakavas
Copy link
Member Author

Implemented in #40674

@codebrain codebrain mentioned this issue Jul 11, 2019
Closed
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkakavas jkakavas

Labels
>feature Meta :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@colings86 @jakelandis @jasontedor @jkakavas @elasticmachine