Adding authentication information to access token create APIs

Adding authentication object to following APIs:
/_security/oauth2/token
/_security/delegate_pki
/_security/saml/authenticate
/_security/oidc/authenticate

Resolves: elastic#59685

Author: BigPandaToo

client/rest-high-level/src/test/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponseTests.java

@@ -37,7 +37,7 @@ public class DelegatePkiAuthenticationResponseTests extends
     protected org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationResponse createServerTestInstance(
         XContentType xContentType) {
         return new org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationResponse(randomAlphaOfLength(6),
-                TimeValue.parseTimeValue(randomTimeValue(), getClass().getSimpleName() + ".expiresIn"));
+                TimeValue.parseTimeValue(randomTimeValue(), getClass().getSimpleName() + ".expiresIn"), null);
     }
 
     @Override

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/DelegatePkiAuthenticationResponse.java

@@ -14,6 +14,7 @@
 import org.elasticsearch.common.xcontent.ConstructingObjectParser;
 import org.elasticsearch.common.xcontent.ToXContentObject;
 import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -26,6 +27,7 @@ public final class DelegatePkiAuthenticationResponse extends ActionResponse impl
     private static final ParseField ACCESS_TOKEN_FIELD = new ParseField("access_token");
     private static final ParseField TYPE_FIELD = new ParseField("type");
     private static final ParseField EXPIRES_IN_FIELD = new ParseField("expires_in");
+    private static final ParseField AUTHENTICATION = new ParseField("authentication");
 
     public static final ConstructingObjectParser<DelegatePkiAuthenticationResponse, Void> PARSER = new ConstructingObjectParser<>(
             "delegate_pki_response", true, a -> {
@@ -35,30 +37,35 @@ public final class DelegatePkiAuthenticationResponse extends ActionResponse impl
                     throw new IllegalArgumentException("Unknown token type [" + type + "], only [Bearer] type permitted");
                 }
                 final Long expiresIn = (Long) a[2];
-                return new DelegatePkiAuthenticationResponse(accessToken, TimeValue.timeValueSeconds(expiresIn));
+                final Authentication authentication = (Authentication) a[3];
+                return new DelegatePkiAuthenticationResponse(accessToken, TimeValue.timeValueSeconds(expiresIn), authentication);
             });
 
     static {
         PARSER.declareString(ConstructingObjectParser.constructorArg(), ACCESS_TOKEN_FIELD);
         PARSER.declareString(ConstructingObjectParser.constructorArg(), TYPE_FIELD);
         PARSER.declareLong(ConstructingObjectParser.constructorArg(), EXPIRES_IN_FIELD);
+        PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), AUTHENTICATION);
     }
 
     private String accessToken;
     private TimeValue expiresIn;
+    private Authentication authentication;
 
     DelegatePkiAuthenticationResponse() { }
 
-    public DelegatePkiAuthenticationResponse(String accessToken, TimeValue expiresIn) {
+    public DelegatePkiAuthenticationResponse(String accessToken, TimeValue expiresIn, Authentication authentication) {
         this.accessToken = Objects.requireNonNull(accessToken);
         // always store expiration in seconds because this is how we "serialize" to JSON and we need to parse back
         this.expiresIn = TimeValue.timeValueSeconds(Objects.requireNonNull(expiresIn).getSeconds());
+        this.authentication = authentication;
     }
 
     public DelegatePkiAuthenticationResponse(StreamInput input) throws IOException {
         super(input);
         accessToken = input.readString();
         expiresIn = input.readTimeValue();
+        authentication = null;
     }
 
     public String getAccessToken() {
@@ -91,10 +98,13 @@ public int hashCode() {
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
-        builder.startObject()
-            .field(ACCESS_TOKEN_FIELD.getPreferredName(), accessToken)
-            .field(TYPE_FIELD.getPreferredName(), "Bearer")
-            .field(EXPIRES_IN_FIELD.getPreferredName(), expiresIn.getSeconds());
+        builder.startObject();
+        builder.field(ACCESS_TOKEN_FIELD.getPreferredName(), accessToken);
+        builder.field(TYPE_FIELD.getPreferredName(), "Bearer");
+        builder.field(EXPIRES_IN_FIELD.getPreferredName(), expiresIn.getSeconds());
+        if (authentication != null) {
+            builder.field(AUTHENTICATION.getPreferredName(), authentication);
+        }
         return builder.endObject();
     }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java

@@ -9,6 +9,7 @@
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
 
 import java.io.IOException;
 
@@ -17,12 +18,15 @@ public class OpenIdConnectAuthenticateResponse extends ActionResponse {
     private String accessTokenString;
     private String refreshTokenString;
     private TimeValue expiresIn;
+    private Authentication authentication;
 
-    public OpenIdConnectAuthenticateResponse(String principal, String accessTokenString, String refreshTokenString, TimeValue expiresIn) {
+    public OpenIdConnectAuthenticateResponse(Authentication authentication, String accessTokenString, String refreshTokenString,
+                                             TimeValue expiresIn) {
         this.principal = principal;
         this.accessTokenString = accessTokenString;
         this.refreshTokenString = refreshTokenString;
         this.expiresIn = expiresIn;
+        this.authentication = authentication;
     }
 
     public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException {
@@ -31,6 +35,7 @@ public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException {
         accessTokenString = in.readString();
         refreshTokenString = in.readString();
         expiresIn = in.readTimeValue();
+        authentication = null;
     }
 
     public String getPrincipal() {
@@ -49,6 +54,8 @@ public TimeValue getExpiresIn() {
         return expiresIn;
     }
 
+    public Authentication getAuthentication() { return authentication; }
+
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(principal);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java

@@ -10,6 +10,7 @@
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
 
 import java.io.IOException;
 
@@ -24,6 +25,7 @@ public final class SamlAuthenticateResponse extends ActionResponse {
     private String refreshToken;
     private String realm;
     private TimeValue expiresIn;
+    private Authentication authentication;
 
     public SamlAuthenticateResponse(StreamInput in) throws IOException {
         super(in);
@@ -34,14 +36,16 @@ public SamlAuthenticateResponse(StreamInput in) throws IOException {
         tokenString = in.readString();
         refreshToken = in.readString();
         expiresIn = in.readTimeValue();
+        authentication = null;
     }
 
-    public SamlAuthenticateResponse(String principal, String realm, String tokenString, String refreshToken, TimeValue expiresIn) {
-        this.principal = principal;
-        this.realm = realm;
+    public SamlAuthenticateResponse(Authentication authentication, String tokenString, String refreshToken, TimeValue expiresIn) {
+        this.principal = authentication.getUser().principal();
+        this.realm = authentication.getAuthenticatedBy().getName();
         this.tokenString = tokenString;
         this.refreshToken = refreshToken;
         this.expiresIn = expiresIn;
+        this.authentication = authentication;
     }
 
     public String getPrincipal() {
@@ -64,6 +68,8 @@ public TimeValue getExpiresIn() {
         return expiresIn;
     }
 
+    public Authentication getAuthentication() { return authentication; }
+
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(principal);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenResponse.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.ToXContentObject;
 import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -27,6 +28,7 @@ public final class CreateTokenResponse extends ActionResponse implements ToXCont
     private String scope;
     private String refreshToken;
     private String kerberosAuthenticationResponseToken;
+    private Authentication authentication;
 
     CreateTokenResponse() {}
 
@@ -40,12 +42,13 @@ public CreateTokenResponse(StreamInput in) throws IOException {
     }
 
     public CreateTokenResponse(String tokenString, TimeValue expiresIn, String scope, String refreshToken,
-                               String kerberosAuthenticationResponseToken) {
+                               String kerberosAuthenticationResponseToken, Authentication authentication) {
         this.tokenString = Objects.requireNonNull(tokenString);
         this.expiresIn = Objects.requireNonNull(expiresIn);
         this.scope = scope;
         this.refreshToken = refreshToken;
         this.kerberosAuthenticationResponseToken = kerberosAuthenticationResponseToken;
+        this.authentication = authentication;
     }
 
     public String getTokenString() {
@@ -93,6 +96,9 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
         if (kerberosAuthenticationResponseToken != null) {
             builder.field("kerberos_authentication_response_token", kerberosAuthenticationResponseToken);
         }
+        if (authentication != null) {
+            builder.field("authentication", authentication);
+        }
         return builder.endObject();
     }
 

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/action/DelegatePkiAuthenticationResponseTests.java

@@ -35,7 +35,7 @@ public void testSerialization() throws Exception {
     @Override
     protected DelegatePkiAuthenticationResponse createTestInstance() {
         return new DelegatePkiAuthenticationResponse(randomAlphaOfLengthBetween(0, 10),
-                TimeValue.parseTimeValue(randomTimeValue(), getClass().getSimpleName() + ".expiresIn"));
+                TimeValue.parseTimeValue(randomTimeValue(), getClass().getSimpleName() + ".expiresIn"), null);
     }
 
     @Override

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenResponseTests.java

@@ -14,7 +14,8 @@ public class CreateTokenResponseTests extends ESTestCase {
 
     public void testSerialization() throws Exception {
         CreateTokenResponse response = new CreateTokenResponse(randomAlphaOfLengthBetween(1, 10), TimeValue.timeValueMinutes(20L),
-            randomBoolean() ? null : "FULL", randomAlphaOfLengthBetween(1, 10), randomBoolean() ? null :randomAlphaOfLengthBetween(1, 10));
+            randomBoolean() ? null : "FULL", randomAlphaOfLengthBetween(1, 10), randomBoolean() ? null :randomAlphaOfLengthBetween(1, 10),
+            null);
         try (BytesStreamOutput output = new BytesStreamOutput()) {
             response.writeTo(output);
             try (StreamInput input = output.bytes().streamInput()) {
@@ -24,7 +25,7 @@ public void testSerialization() throws Exception {
         }
 
         response = new CreateTokenResponse(randomAlphaOfLengthBetween(1, 10), TimeValue.timeValueMinutes(20L),
-            randomBoolean() ? null : "FULL", null, null);
+            randomBoolean() ? null : "FULL", null, null, null);
         try (BytesStreamOutput output = new BytesStreamOutput()) {
             response.writeTo(output);
             try (StreamInput input = output.bytes().streamInput()) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/TransportDelegatePkiAuthenticationAction.java

@@ -84,7 +84,7 @@ protected void doExecute(Task task, DelegatePkiAuthenticationRequest request,
                         tokenService.createOAuth2Tokens(authentication, delegateeAuthentication, Map.of(), false,
                                 ActionListener.wrap(tuple -> {
                                     final TimeValue expiresIn = tokenService.getExpirationDelay();
-                                    listener.onResponse(new DelegatePkiAuthenticationResponse(tuple.v1(), expiresIn));
+                                    listener.onResponse(new DelegatePkiAuthenticationResponse(tuple.v1(), expiresIn, authentication));
                                 }, listener::onFailure));
                     }, e -> {
                         logger.debug((Supplier<?>) () -> new ParameterizedMessage("Delegated x509Token [{}] could not be authenticated",

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java

@@ -74,8 +74,7 @@ protected void doExecute(Task task, OpenIdConnectAuthenticateRequest request,
                     tokenService.createOAuth2Tokens(authentication, originatingAuthentication, tokenMetadata, true,
                         ActionListener.wrap(tuple -> {
                             final TimeValue expiresIn = tokenService.getExpirationDelay();
-                            listener.onResponse(new OpenIdConnectAuthenticateResponse(authentication.getUser().principal(), tuple.v1(),
-                                tuple.v2(), expiresIn));
+                            listener.onResponse(new OpenIdConnectAuthenticateResponse(authentication, tuple.v1(), tuple.v2(), expiresIn));
                         }, listener::onFailure));
                 }, e -> {
                     logger.debug(() -> new ParameterizedMessage("OpenIDConnectToken [{}] could not be authenticated", token), e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java

@@ -68,8 +68,7 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
                         tokenMeta, true, ActionListener.wrap(tuple -> {
                             final TimeValue expiresIn = tokenService.getExpirationDelay();
                             listener.onResponse(
-                                new SamlAuthenticateResponse(authentication.getUser().principal(),
-                                    authentication.getAuthenticatedBy().getName(), tuple.v1(), tuple.v2(), expiresIn));
+                                new SamlAuthenticateResponse(authentication, tuple.v1(), tuple.v2(), expiresIn));
                         }, listener::onFailure));
             }, e -> {
                 logger.debug(() -> new ParameterizedMessage("SamlToken [{}] could not be authenticated", saml), e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java

@@ -135,7 +135,7 @@ private void createToken(GrantType grantType, CreateTokenRequest request, Authen
                     final String scope = getResponseScopeValue(request.getScope());
                     final String base64AuthenticateResponse = (grantType == GrantType.KERBEROS) ? extractOutToken() : null;
                     final CreateTokenResponse response = new CreateTokenResponse(tuple.v1(), tokenService.getExpirationDelay(), scope,
-                            tuple.v2(), base64AuthenticateResponse);
+                            tuple.v2(), base64AuthenticateResponse, authentication);
                     listener.onResponse(response);
                 }, listener::onFailure));
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/token/TransportRefreshTokenAction.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.core.security.SecurityContext;
 import org.elasticsearch.xpack.core.security.action.token.CreateTokenRequest;
 import org.elasticsearch.xpack.core.security.action.token.CreateTokenResponse;
 import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
@@ -21,19 +22,23 @@
 public class TransportRefreshTokenAction extends HandledTransportAction<CreateTokenRequest, CreateTokenResponse> {
 
     private final TokenService tokenService;
+    private final SecurityContext securityContext;
 
     @Inject
-    public TransportRefreshTokenAction(TransportService transportService, ActionFilters actionFilters, TokenService tokenService) {
+    public TransportRefreshTokenAction(TransportService transportService, ActionFilters actionFilters, TokenService tokenService,
+                                       SecurityContext securityContext) {
         super(RefreshTokenAction.NAME, transportService, actionFilters, CreateTokenRequest::new);
         this.tokenService = tokenService;
+        this.securityContext = securityContext;
     }
 
     @Override
     protected void doExecute(Task task, CreateTokenRequest request, ActionListener<CreateTokenResponse> listener) {
         tokenService.refreshToken(request.getRefreshToken(), ActionListener.wrap(tuple -> {
             final String scope = getResponseScopeValue(request.getScope());
             final CreateTokenResponse response =
-                    new CreateTokenResponse(tuple.v1(), tokenService.getExpirationDelay(), scope, tuple.v2(), null);
+                    new CreateTokenResponse(tuple.v1(), tokenService.getExpirationDelay(), scope, tuple.v2(), null,
+                        securityContext.getAuthentication());
             listener.onResponse(response);
         }, listener::onFailure));
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java

@@ -63,12 +63,15 @@ protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClien
                     @Override
                     public RestResponse buildResponse(OpenIdConnectAuthenticateResponse response, XContentBuilder builder)
                         throws Exception {
-                        builder.startObject()
-                            .field("username", response.getPrincipal())
-                            .field("access_token", response.getAccessTokenString())
-                            .field("refresh_token", response.getRefreshTokenString())
-                            .field("expires_in", response.getExpiresIn().seconds())
-                            .endObject();
+                        builder.startObject();
+                        builder.field("username", response.getPrincipal());
+                        builder.field("access_token", response.getAccessTokenString());
+                        builder.field("refresh_token", response.getRefreshTokenString());
+                        builder.field("expires_in", response.getExpiresIn().seconds());
+                        if (response.getAuthentication() != null){
+                            builder.field("authentication", response.getAuthentication());
+                        }
+                        builder.endObject();
                         return new BytesRestResponse(RestStatus.OK, builder);
                     }
                 });

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java

@@ -95,13 +95,16 @@ public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient c
                 requestBuilder.execute(new RestBuilderListener<>(channel) {
                     @Override
                     public RestResponse buildResponse(SamlAuthenticateResponse response, XContentBuilder builder) throws Exception {
-                        builder.startObject()
-                                .field("username", response.getPrincipal())
-                                .field("realm", response.getRealm())
-                                .field("access_token", response.getTokenString())
-                                .field("refresh_token", response.getRefreshToken())
-                                .field("expires_in", response.getExpiresIn().seconds())
-                                .endObject();
+                        builder.startObject();
+                        builder.field("username", response.getPrincipal());
+                        builder.field("realm", response.getRealm());
+                        builder.field("access_token", response.getTokenString());
+                        builder.field("refresh_token", response.getRefreshToken());
+                        builder.field("expires_in", response.getExpiresIn().seconds());
+                        if (response.getAuthentication() != null){
+                            builder.field("authentication", response.getAuthentication());
+                        }
+                        builder.endObject();
                         return new BytesRestResponse(RestStatus.OK, builder);
                     }
                 });