Support RP initated single log out (#38475)

https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Author: jkakavas

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutAction.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.Action;
+import org.elasticsearch.common.io.stream.Writeable;
+
+public class OpenIdConnectLogoutAction extends Action<OpenIdConnectLogoutResponse> {
+
+    public static final OpenIdConnectLogoutAction INSTANCE = new OpenIdConnectLogoutAction();
+    public static final String NAME = "cluster:admin/xpack/security/oidc/logout";
+
+    private OpenIdConnectLogoutAction() {
+        super(NAME);
+    }
+
+    @Override
+    public OpenIdConnectLogoutResponse newResponse() {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public Writeable.Reader<OpenIdConnectLogoutResponse> getResponseReader() {
+        return OpenIdConnectLogoutResponse::new;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutRequest.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+public final class OpenIdConnectLogoutRequest extends ActionRequest {
+
+    private String token;
+    @Nullable
+    private String refreshToken;
+
+    public OpenIdConnectLogoutRequest() {
+
+    }
+
+    public OpenIdConnectLogoutRequest(StreamInput in) throws IOException {
+        super.readFrom(in);
+        token = in.readString();
+        refreshToken = in.readOptionalString();
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(token)) {
+            validationException = addValidationError("token is missing", validationException);
+        }
+        return validationException;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public String getRefreshToken() {
+        return refreshToken;
+    }
+
+    public void setRefreshToken(String refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(token);
+        out.writeOptionalString(refreshToken);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutResponse.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+public final class OpenIdConnectLogoutResponse extends ActionResponse {
+
+    private String endSessionUrl;
+
+    public OpenIdConnectLogoutResponse(StreamInput in) throws IOException {
+        super.readFrom(in);
+        this.endSessionUrl = in.readString();
+    }
+
+    public OpenIdConnectLogoutResponse(String endSessionUrl) {
+        this.endSessionUrl = endSessionUrl;
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(endSessionUrl);
+    }
+
+    public String toString() {
+        return "{endSessionUrl=" + endSessionUrl + "}";
+    }
+
+    public String getEndSessionUrl() {
+        return endSessionUrl;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java

@@ -47,6 +47,15 @@ private OpenIdConnectRealmSettings() {
                 throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
             }
         }, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<String> RP_POST_LOGOUT_REDIRECT_URI
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.post_logout_redirect_uri",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> RP_RESPONSE_TYPE
         = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.response_type",
         key -> Setting.simpleString(key, v -> {
@@ -95,6 +104,15 @@ private OpenIdConnectRealmSettings() {
                 throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
             }
         }, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<String> OP_ENDSESSION_ENDPOINT
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "op.endsession_endpoint",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> OP_ISSUER
         = RealmSettings.simpleString(TYPE, "op.issuer", Setting.Property.NodeScope);
     public static final Setting.AffixSetting<String> OP_JWKSET_PATH
@@ -132,9 +150,9 @@ private OpenIdConnectRealmSettings() {
     public static Set<Setting.AffixSetting<?>> getSettings() {
         final Set<Setting.AffixSetting<?>> set = Sets.newHashSet(
             RP_CLIENT_ID, RP_REDIRECT_URI, RP_RESPONSE_TYPE, RP_REQUESTED_SCOPES, RP_CLIENT_SECRET, RP_SIGNATURE_ALGORITHM,
-            OP_NAME, OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT, OP_ISSUER, OP_JWKSET_PATH,
-            HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT, HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS,
-            ALLOWED_CLOCK_SKEW);
+            RP_POST_LOGOUT_REDIRECT_URI, OP_NAME, OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT,
+            OP_ENDSESSION_ENDPOINT, OP_ISSUER, OP_JWKSET_PATH, HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT,
+            HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS, ALLOWED_CLOCK_SKEW);
         set.addAll(DelegatedAuthorizationSettings.getSettings(TYPE));
         set.addAll(RealmSettings.getStandardSettings(TYPE));
         set.addAll(SSLConfigurationSettings.getRealmSettings(TYPE));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -81,6 +81,7 @@
 import org.elasticsearch.xpack.core.security.action.GetApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectAuthenticateAction;
+import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutAction;
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationAction;
 import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction;
 import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction;
@@ -138,6 +139,7 @@
 import org.elasticsearch.xpack.security.action.TransportInvalidateApiKeyAction;
 import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
 import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectAuthenticateAction;
+import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectLogoutAction;
 import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectPrepareAuthenticationAction;
 import org.elasticsearch.xpack.security.action.privilege.TransportDeletePrivilegesAction;
 import org.elasticsearch.xpack.security.action.privilege.TransportGetPrivilegesAction;
@@ -197,6 +199,7 @@
 import org.elasticsearch.xpack.security.rest.action.RestInvalidateApiKeyAction;
 import org.elasticsearch.xpack.security.rest.action.oauth2.RestGetTokenAction;
 import org.elasticsearch.xpack.security.rest.action.oauth2.RestInvalidateTokenAction;
+import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectLogoutAction;
 import org.elasticsearch.xpack.security.rest.action.privilege.RestDeletePrivilegesAction;
 import org.elasticsearch.xpack.security.rest.action.privilege.RestGetPrivilegesAction;
 import org.elasticsearch.xpack.security.rest.action.privilege.RestPutPrivilegesAction;
@@ -745,6 +748,7 @@ public void onIndexModule(IndexModule module) {
                 new ActionHandler<>(OpenIdConnectPrepareAuthenticationAction.INSTANCE,
                     TransportOpenIdConnectPrepareAuthenticationAction.class),
                 new ActionHandler<>(OpenIdConnectAuthenticateAction.INSTANCE, TransportOpenIdConnectAuthenticateAction.class),
+                new ActionHandler<>(OpenIdConnectLogoutAction.INSTANCE, TransportOpenIdConnectLogoutAction.class),
                 new ActionHandler<>(GetPrivilegesAction.INSTANCE, TransportGetPrivilegesAction.class),
                 new ActionHandler<>(PutPrivilegesAction.INSTANCE, TransportPutPrivilegesAction.class),
                 new ActionHandler<>(DeletePrivilegesAction.INSTANCE, TransportDeletePrivilegesAction.class),
@@ -799,6 +803,7 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
                 new RestSamlInvalidateSessionAction(settings, restController, getLicenseState()),
                 new RestOpenIdConnectPrepareAuthenticationAction(settings, restController, getLicenseState()),
                 new RestOpenIdConnectAuthenticateAction(settings, restController, getLicenseState()),
+                new RestOpenIdConnectLogoutAction(settings, restController, getLicenseState()),
                 new RestGetPrivilegesAction(settings, restController, getLicenseState()),
                 new RestPutPrivilegesAction(settings, restController, getLicenseState()),
                 new RestDeletePrivilegesAction(settings, restController, getLicenseState()),

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutAction.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.security.action.oidc;
+
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutAction;
+import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutRequest;
+import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.Realm;
+import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.Realms;
+import org.elasticsearch.xpack.security.authc.TokenService;
+import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm;
+
+import java.io.IOException;
+import java.text.ParseException;
+import java.util.Map;
+
+/**
+ * Transport action responsible for generating an OpenID connect logout request to be sent to an OpenID Connect Provider
+ */
+public class TransportOpenIdConnectLogoutAction extends HandledTransportAction<OpenIdConnectLogoutRequest, OpenIdConnectLogoutResponse> {
+
+    private final Realms realms;
+    private final TokenService tokenService;
+    private static final Logger logger = LogManager.getLogger(TransportOpenIdConnectLogoutAction.class);
+
+    @Inject
+    public TransportOpenIdConnectLogoutAction(TransportService transportService, ActionFilters actionFilters, Realms realms,
+                                              TokenService tokenService) {
+        super(OpenIdConnectLogoutAction.NAME, transportService, actionFilters,
+            (Writeable.Reader<OpenIdConnectLogoutRequest>) OpenIdConnectLogoutRequest::new);
+        this.realms = realms;
+        this.tokenService = tokenService;
+    }
+
+    @Override
+    protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionListener<OpenIdConnectLogoutResponse> listener) {
+        invalidateRefreshToken(request.getRefreshToken(), ActionListener.wrap(ignore -> {
+            try {
+                final String token = request.getToken();
+                tokenService.getAuthenticationAndMetaData(token, ActionListener.wrap(
+                    tuple -> {
+                        final Authentication authentication = tuple.v1();
+                        final Map<String, Object> tokenMetadata = tuple.v2();
+                        validateAuthenticationAndMetadata(authentication, tokenMetadata);
+                        tokenService.invalidateAccessToken(token, ActionListener.wrap(
+                            result -> {
+                                if (logger.isTraceEnabled()) {
+                                    logger.trace("OpenID Connect Logout for user [{}] and token [{}...{}]",
+                                        authentication.getUser().principal(),
+                                        token.substring(0, 8),
+                                        token.substring(token.length() - 8));
+                                }
+                                OpenIdConnectLogoutResponse response = buildResponse(authentication, tokenMetadata);
+                                listener.onResponse(response);
+                            }, listener::onFailure)
+                        );
+                    }, listener::onFailure));
+            } catch (IOException e) {
+                listener.onFailure(e);
+            }
+        }, listener::onFailure));
+    }
+
+    private OpenIdConnectLogoutResponse buildResponse(Authentication authentication, Map<String, Object> tokenMetadata) {
+        final String idTokenHint = (String) getFromMetadata(tokenMetadata, "id_token_hint");
+        final Realm realm = this.realms.realm(authentication.getAuthenticatedBy().getName());
+        final JWT idToken;
+        try {
+            idToken = JWTParser.parse(idTokenHint);
+        } catch (ParseException e) {
+            throw new ElasticsearchSecurityException("Token Metadata did not contain a valid IdToken", e);
+        }
+        return ((OpenIdConnectRealm) realm).buildLogoutResponse(idToken);
+    }
+
+    private void validateAuthenticationAndMetadata(Authentication authentication, Map<String, Object> tokenMetadata) {
+        if (tokenMetadata == null) {
+            throw new ElasticsearchSecurityException("Authentication did not contain metadata");
+        }
+        if (authentication == null) {
+            throw new ElasticsearchSecurityException("No active authentication");
+        }
+        final User user = authentication.getUser();
+        if (user == null) {
+            throw new ElasticsearchSecurityException("No active user");
+        }
+
+        final Authentication.RealmRef ref = authentication.getAuthenticatedBy();
+        if (ref == null || Strings.isNullOrEmpty(ref.getName())) {
+            throw new ElasticsearchSecurityException("Authentication {} has no authenticating realm",
+                authentication);
+        }
+        final Realm realm = this.realms.realm(authentication.getAuthenticatedBy().getName());
+        if (realm == null) {
+            throw new ElasticsearchSecurityException("Authenticating realm {} does not exist", ref.getName());
+        }
+        if (realm instanceof OpenIdConnectRealm == false) {
+            throw new IllegalArgumentException("Access token is not valid for an OpenID Connect realm");
+        }
+    }
+
+    private Object getFromMetadata(Map<String, Object> metadata, String key) {
+        if (metadata.containsKey(key) == false) {
+            throw new ElasticsearchSecurityException("Authentication token does not have OpenID Connect metadata [{}]", key);
+        }
+        Object value = metadata.get(key);
+        if (null != value && value instanceof String == false) {
+            throw new ElasticsearchSecurityException("In authentication token, OpenID Connect metadata [{}] is [{}] rather than " +
+                "String", key, value.getClass());
+        }
+        return value;
+
+    }
+    private void invalidateRefreshToken(String refreshToken, ActionListener<TokensInvalidationResult> listener) {
+        if (refreshToken == null) {
+            listener.onResponse(null);
+        } else {
+            tokenService.invalidateRefreshToken(refreshToken, listener);
+        }
+    }
+}