Finalizes logout support

Implements RP initiated SLO as described in OpenID Connect Session
Management 1.0 Draft 38
https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Author: jkakavas

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutRequest.java

@@ -13,7 +13,6 @@
 import org.elasticsearch.common.io.stream.StreamOutput;
 
 import java.io.IOException;
-import java.io.InputStream;
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java

@@ -47,6 +47,15 @@ private OpenIdConnectRealmSettings() {
                 throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
             }
         }, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<String> RP_POST_LOGOUT_REDIRECT_URI
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.post_logout_redirect_uri",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> RP_RESPONSE_TYPE
         = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.response_type",
         key -> Setting.simpleString(key, v -> {
@@ -141,9 +150,9 @@ private OpenIdConnectRealmSettings() {
     public static Set<Setting.AffixSetting<?>> getSettings() {
         final Set<Setting.AffixSetting<?>> set = Sets.newHashSet(
             RP_CLIENT_ID, RP_REDIRECT_URI, RP_RESPONSE_TYPE, RP_REQUESTED_SCOPES, RP_CLIENT_SECRET, RP_SIGNATURE_VERIFICATION_ALGORITHM,
-            OP_NAME, OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT, OP_ENDSESSION_ENDPOINT, OP_ISSUER,
-            OP_JWKSET_PATH, HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT, HTTP_MAX_CONNECTIONS,
-            HTTP_MAX_ENDPOINT_CONNECTIONS, ALLOWED_CLOCK_SKEW);
+            RP_POST_LOGOUT_REDIRECT_URI, OP_NAME, OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT,
+            OP_ENDSESSION_ENDPOINT, OP_ISSUER, OP_JWKSET_PATH, HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT,
+            HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS, ALLOWED_CLOCK_SKEW);
         set.addAll(DelegatedAuthorizationSettings.getSettings(TYPE));
         set.addAll(RealmSettings.getStandardSettings(TYPE));
         set.addAll(SSLConfigurationSettings.getRealmSettings(TYPE));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutAction.java

@@ -5,6 +5,8 @@
  */
 package org.elasticsearch.xpack.security.action.oidc;
 
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchSecurityException;
@@ -22,11 +24,14 @@
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.Realm;
 import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult;
+import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.authc.Realms;
 import org.elasticsearch.xpack.security.authc.TokenService;
 import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm;
 
 import java.io.IOException;
+import java.text.ParseException;
+import java.util.Map;
 
 /**
  * Transport action responsible for generating an OpenID connect logout request to be sent to an OpenID Connect Provider
@@ -53,7 +58,8 @@ protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionLi
                 final String token = request.getToken();
                 tokenService.getAuthenticationAndMetaData(token, ActionListener.wrap(
                     tuple -> {
-                        Authentication authentication = tuple.v1();
+                        final Authentication authentication = tuple.v1();
+                        final Map<String, Object> tokenMetadata = tuple.v2();
                         tokenService.invalidateAccessToken(token, ActionListener.wrap(
                             result -> {
                                 if (logger.isTraceEnabled()) {
@@ -62,7 +68,7 @@ protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionLi
                                         token.substring(0, 8),
                                         token.substring(token.length() - 8));
                                 }
-                                OpenIdConnectLogoutResponse response = buildResponse(authentication);
+                                OpenIdConnectLogoutResponse response = buildResponse(authentication, tokenMetadata);
                                 listener.onResponse(response);
                             }, listener::onFailure)
                         );
@@ -74,22 +80,62 @@ protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionLi
         }, listener::onFailure));
     }
 
-    private OpenIdConnectLogoutResponse buildResponse(Authentication authentication) {
+    private OpenIdConnectLogoutResponse buildResponse(Authentication authentication, Map<String, Object> tokenMetadata) {
+        validateAuthenticationAndMetadata(authentication, tokenMetadata);
+        final String idTokenHint = (String) getFromMetadata(tokenMetadata, "id_token_hint");
+        final Realm realm = this.realms.realm(authentication.getAuthenticatedBy().getName());
+        final JWT idToken;
+        try {
+            idToken = JWTParser.parse(idTokenHint);
+        } catch (ParseException e) {
+            throw new ElasticsearchSecurityException("Token Metadata did not contain a valid IdToken", e);
+        }
+        return ((OpenIdConnectRealm) realm).buildLogoutResponse(idToken);
+    }
+
+    private void validateAuthenticationAndMetadata(Authentication authentication, Map<String, Object> tokenMetadata) {
+        if (tokenMetadata == null) {
+            throw new ElasticsearchSecurityException("Authentication did not contain metadata");
+        }
+        if (authentication == null) {
+            throw new ElasticsearchSecurityException("No active authentication");
+        }
+        final User user = authentication.getUser();
+        if (user == null) {
+            throw new ElasticsearchSecurityException("No active user");
+        }
+
         final Authentication.RealmRef ref = authentication.getAuthenticatedBy();
         if (ref == null || Strings.isNullOrEmpty(ref.getName())) {
-            throw new ElasticsearchSecurityException("Authentication {} has no authenticating realm", authentication);
+            throw new ElasticsearchSecurityException("Authentication {} has no authenticating realm",
+                authentication);
         }
         final Realm realm = this.realms.realm(authentication.getAuthenticatedBy().getName());
         if (realm == null) {
             throw new ElasticsearchSecurityException("Authenticating realm {} does not exist", ref.getName());
         }
-        if (realm instanceof OpenIdConnectRealm) {
-            return ((OpenIdConnectRealm) realm).buildLogoutResponse();
-        } else {
-            throw new ElasticsearchSecurityException("Authenticating realm {} is not a SAML realm", realm);
+        if (realm instanceof OpenIdConnectRealm == false) {
+            throw new ElasticsearchSecurityException("Authenticating realm {} is not an OpenID Connect realm",
+                realm);
+        }
+        final Object tokenRealm = getFromMetadata(tokenMetadata, "oidc_realm");
+        if (realm.name().equals(tokenRealm) == false) {
+            throw new ElasticsearchSecurityException("Authenticating realm [{}] does not match token realm [{}]", realm, tokenRealm);
         }
     }
 
+    private Object getFromMetadata(Map<String, Object> metadata, String key) {
+        if (metadata.containsKey(key) == false) {
+            throw new ElasticsearchSecurityException("Authentication token does not have OpenID Connect metadata [{}]", key);
+        }
+        Object value = metadata.get(key);
+        if (null != value && value instanceof String == false) {
+            throw new ElasticsearchSecurityException("In authentication token, OpenID Connect metadata [{}] is [{}] rather than " +
+                "String", key, value.getClass());
+        }
+        return value;
+
+    }
     private void invalidateRefreshToken(String refreshToken, ActionListener<TokensInvalidationResult> listener) {
         if (refreshToken == null) {
             listener.onResponse(null);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java

@@ -219,10 +219,15 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce
             if (logger.isTraceEnabled()) {
                 logger.trace("Received and validated the Id Token for the user: [{}]", verifiedIdTokenClaims);
             }
+            // Add the Id Token string as a synthetic claim
+            final JSONObject verifiedIdTokenClaimsObject = verifiedIdTokenClaims.toJSONObject();
+            final JWTClaimsSet idTokenClaim = new JWTClaimsSet.Builder().claim("id_token_hint", idToken.serialize()).build();
+            verifiedIdTokenClaimsObject.merge(idTokenClaim.toJSONObject());
+            final JWTClaimsSet enrichedVerifiedIdTokenClaims = JWTClaimsSet.parse(verifiedIdTokenClaimsObject);
             if (accessToken != null && opConfig.getUserinfoEndpoint() != null) {
-                getAndCombineUserInfoClaims(accessToken, verifiedIdTokenClaims, claimsListener);
+                getAndCombineUserInfoClaims(accessToken, enrichedVerifiedIdTokenClaims, claimsListener);
             } else {
-                claimsListener.onResponse(verifiedIdTokenClaims);
+                claimsListener.onResponse(enrichedVerifiedIdTokenClaims);
             }
         } catch (BadJOSEException e) {
             // We only try to update the cached JWK set once if a remote source is used and
@@ -241,7 +246,7 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce
             } else {
                 claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));
             }
-        } catch (com.nimbusds.oauth2.sdk.ParseException | JOSEException e) {
+        } catch (com.nimbusds.oauth2.sdk.ParseException | ParseException | JOSEException e) {
             claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));
         }
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectProviderConfiguration.java

@@ -19,12 +19,12 @@ public class OpenIdConnectProviderConfiguration {
     private final URI authorizationEndpoint;
     private final URI tokenEndpoint;
     private final URI userinfoEndpoint;
-    private final URI endsessionEndpoint;;
+    private final URI endsessionEndpoint;
     private final Issuer issuer;
     private final String jwkSetPath;
 
     public OpenIdConnectProviderConfiguration(String providerName, Issuer issuer, String jwkSetPath, URI authorizationEndpoint,
-                                              URI tokenEndpoint, @Nullable URI userinfoEndpoint, @Nullable URI endsessionEndpoint;) {
+                                              URI tokenEndpoint, @Nullable URI userinfoEndpoint, @Nullable URI endsessionEndpoint) {
         this.providerName = Objects.requireNonNull(providerName, "OP Name must be provided");
         this.authorizationEndpoint = Objects.requireNonNull(authorizationEndpoint, "Authorization Endpoint must be provided");
         this.tokenEndpoint = Objects.requireNonNull(tokenEndpoint, "Token Endpoint must be provided");

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.xpack.security.authc.oidc;
 
 import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
 
 import com.nimbusds.oauth2.sdk.ParseException;
@@ -15,6 +16,7 @@
 import com.nimbusds.oauth2.sdk.id.Issuer;
 import com.nimbusds.oauth2.sdk.id.State;
 import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
+import com.nimbusds.openid.connect.sdk.LogoutRequest;
 import com.nimbusds.openid.connect.sdk.Nonce;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
@@ -73,6 +75,7 @@
 import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.PRINCIPAL_CLAIM;
 import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.RP_CLIENT_ID;
 import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.RP_CLIENT_SECRET;
+import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.RP_POST_LOGOUT_REDIRECT_URI;
 import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.RP_REDIRECT_URI;
 import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.RP_RESPONSE_TYPE;
 import static org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings.RP_REQUESTED_SCOPES;
@@ -180,8 +183,21 @@ private void buildUserFromClaims(JWTClaimsSet claims, ActionListener<Authenticat
             return;
         }
 
+        final Map<String, Object> tokenMetadata = new HashMap<>();
+        tokenMetadata.put("id_token_hint", claims.getClaim("id_token_hint"));
+        tokenMetadata.put("oidc_realm", this.name());
+        ActionListener<AuthenticationResult> wrappedAuthResultListener = ActionListener.wrap(auth -> {
+            if (auth.isAuthenticated()) {
+                // Add the ID Token as metadata on the authentication, so that it can be used for logout requests
+                Map<String, Object> metadata = new HashMap<>(auth.getMetadata());
+                metadata.put(CONTEXT_TOKEN_DATA, tokenMetadata);
+                auth = AuthenticationResult.success(auth.getUser(), metadata);
+            }
+            authResultListener.onResponse(auth);
+        }, authResultListener::onFailure);
+
         if (delegatedRealms.hasDelegation()) {
-            delegatedRealms.resolve(principal, authResultListener);
+            delegatedRealms.resolve(principal, wrappedAuthResultListener);
             return;
         }
 
@@ -206,8 +222,8 @@ private void buildUserFromClaims(JWTClaimsSet claims, ActionListener<Authenticat
         UserRoleMapper.UserData userData = new UserRoleMapper.UserData(principal, dn, groups, userMetadata, config);
         roleMapper.resolveRoles(userData, ActionListener.wrap(roles -> {
             final User user = new User(principal, roles.toArray(Strings.EMPTY_ARRAY), name, mail, userMetadata, true);
-            authResultListener.onResponse(AuthenticationResult.success(user));
-        }, authResultListener::onFailure));
+            wrappedAuthResultListener.onResponse(AuthenticationResult.success(user));
+        }, wrappedAuthResultListener::onFailure));
 
     }
 
@@ -220,6 +236,14 @@ private RelyingPartyConfiguration buildRelyingPartyConfiguration(RealmConfig con
             // This should never happen as it's already validated in the settings
             throw new SettingsException("Invalid URI:" + RP_REDIRECT_URI.getKey(), e);
         }
+        final String postLogoutRedirectUriString = config.getSetting(RP_POST_LOGOUT_REDIRECT_URI);
+        final URI postLogoutRedirectUri;
+        try {
+            postLogoutRedirectUri = new URI(postLogoutRedirectUriString);
+        } catch (URISyntaxException e) {
+            // This should never happen as it's already validated in the settings
+            throw new SettingsException("Invalid URI:" + RP_POST_LOGOUT_REDIRECT_URI.getKey(), e);
+        }
         final ClientID clientId = new ClientID(require(config, RP_CLIENT_ID));
         final SecureString clientSecret = config.getSetting(RP_CLIENT_SECRET);
         final ResponseType responseType;
@@ -237,7 +261,7 @@ private RelyingPartyConfiguration buildRelyingPartyConfiguration(RealmConfig con
         final JWSAlgorithm signatureVerificationAlgorithm = JWSAlgorithm.parse(require(config, RP_SIGNATURE_VERIFICATION_ALGORITHM));
 
         return new RelyingPartyConfiguration(clientId, clientSecret, redirectUri, responseType, requestedScope,
-            signatureVerificationAlgorithm);
+            signatureVerificationAlgorithm, postLogoutRedirectUri);
     }
 
     private OpenIdConnectProviderConfiguration buildOpenIdConnectProviderConfiguration(RealmConfig config) {
@@ -313,8 +337,11 @@ public OpenIdConnectPrepareAuthenticationResponse buildAuthenticationRequestUri(
             state.getValue(), nonce.getValue());
     }
 
-    public OpenIdConnectLogoutResponse buildLogoutResponse() {
-        return new OpenIdConnectLogoutResponse(opConfiguration.getEndsessionEndpoint());
+    public OpenIdConnectLogoutResponse buildLogoutResponse(JWT idTokenHint) {
+        final State state = new State();
+        final LogoutRequest logoutRequest = new LogoutRequest(opConfiguration.getEndsessionEndpoint(), idTokenHint,
+            rpConfiguration.getPostLogoutRedirectUri(), state);
+        return new OpenIdConnectLogoutResponse(logoutRequest.toURI().toString());
     }
 
     @Override

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/RelyingPartyConfiguration.java

@@ -9,6 +9,7 @@
 import com.nimbusds.oauth2.sdk.ResponseType;
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.id.ClientID;
+import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.settings.SecureString;
 
 import java.net.URI;
@@ -24,16 +25,17 @@ public class RelyingPartyConfiguration {
     private final ResponseType responseType;
     private final Scope requestedScope;
     private final JWSAlgorithm signatureAlgorithm;
+    private final URI postLogoutRedirectUri;
 
     public RelyingPartyConfiguration(ClientID clientId, SecureString clientSecret, URI redirectUri, ResponseType responseType,
-                                     Scope requestedScope,
-                                     JWSAlgorithm algorithm) {
+                                     Scope requestedScope, JWSAlgorithm algorithm, @Nullable URI postLogoutRedirectUri) {
         this.clientId = Objects.requireNonNull(clientId, "clientId must be provided");
         this.clientSecret = Objects.requireNonNull(clientSecret, "clientSecret must be provided");
         this.redirectUri = Objects.requireNonNull(redirectUri, "redirectUri must be provided");
         this.responseType = Objects.requireNonNull(responseType, "responseType must be provided");
         this.requestedScope = Objects.requireNonNull(requestedScope, "responseType must be provided");
         this.signatureAlgorithm = Objects.requireNonNull(algorithm, "algorithm must be provided");
+        this.postLogoutRedirectUri = postLogoutRedirectUri;
     }
 
     public ClientID getClientId() {
@@ -59,4 +61,8 @@ public Scope getRequestedScope() {
     public JWSAlgorithm getSignatureAlgorithm() {
         return signatureAlgorithm;
     }
+
+    public URI getPostLogoutRedirectUri() {
+        return postLogoutRedirectUri;
+    }
 }