OpenID Connect Realm base functionality (#37009)

This commit adds

* An OpenID Connect Realm definition
* Necessary OpenID Connect Realm settings to support Authorization code
 grant and Implicit grant flows
* Rest and Transport Action and Request/Response objects for initiating and
 completing the authentication flow
* Functionality for generating OIDC Authentication Request URIs Unit tests

Notably missing (to be handled in subsequent PRs):
* The actual implementation of the authentication flows
* Necessary JW{T,S,E} functionality

Relates: #35339

Author: jkakavas

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateAction.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.Action;
+import org.elasticsearch.common.io.stream.Writeable;
+
+/**
+ * Action for initiating an authentication process using OpenID Connect
+ */
+public final class OpenIdConnectAuthenticateAction extends Action<OpenIdConnectAuthenticateResponse> {
+
+    public static final OpenIdConnectAuthenticateAction INSTANCE = new OpenIdConnectAuthenticateAction();
+    public static final String NAME = "cluster:admin/xpack/security/oidc/authenticate";
+
+    private OpenIdConnectAuthenticateAction() {
+        super(NAME);
+    }
+
+    @Override
+    public OpenIdConnectAuthenticateResponse newResponse() {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public Writeable.Reader<OpenIdConnectAuthenticateResponse> getResponseReader() {
+        return OpenIdConnectAuthenticateResponse::new;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequest.java

@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+/**
+ * Represents a request for authentication using OpenID Connect
+ */
+public class OpenIdConnectAuthenticateRequest extends ActionRequest {
+
+    /**
+     * The URI where the OP redirected the browser after the authentication attempt. This is passed as is from the
+     * facilitator entity (i.e. Kibana)
+     */
+    private String redirectUri;
+
+    /**
+     * The state value that we generated for this specific flow and that should be stored at the user's session with
+     * the facilitator
+     */
+    private String state;
+
+    /**
+     * The nonce value that we generated for this specific flow and that should be stored at the user's session with
+     * the facilitator
+     */
+    private String nonce;
+
+    public OpenIdConnectAuthenticateRequest() {
+
+    }
+
+    public OpenIdConnectAuthenticateRequest(StreamInput in) throws IOException {
+        super.readFrom(in);
+        redirectUri = in.readString();
+        state = in.readString();
+        nonce = in.readOptionalString();
+    }
+
+    public String getRedirectUri() {
+        return redirectUri;
+    }
+
+    public void setRedirectUri(String redirectUri) {
+        this.redirectUri = redirectUri;
+    }
+
+    public String getState() {
+        return state;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public String getNonce() {
+        return nonce;
+    }
+
+    public void setNonce(String nonce) {
+        this.nonce = nonce;
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        return null;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(redirectUri);
+        out.writeString(state);
+        out.writeOptionalString(nonce);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    public String toString() {
+        return "{redirectUri=" + redirectUri + ", state=" + state + ", nonce=" + nonce + "}";
+    }
+}
+

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequestBuilder.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.client.ElasticsearchClient;
+
+/**
+ * Request builder for populating a {@link OpenIdConnectAuthenticateRequest}
+ */
+public class OpenIdConnectAuthenticateRequestBuilder
+    extends ActionRequestBuilder<OpenIdConnectAuthenticateRequest, OpenIdConnectAuthenticateResponse> {
+
+    public OpenIdConnectAuthenticateRequestBuilder(ElasticsearchClient client) {
+        super(client, OpenIdConnectAuthenticateAction.INSTANCE, new OpenIdConnectAuthenticateRequest());
+    }
+
+    public OpenIdConnectAuthenticateRequestBuilder redirectUri(String redirectUri) {
+        request.setRedirectUri(redirectUri);
+        return this;
+    }
+
+    public OpenIdConnectAuthenticateRequestBuilder state(String state) {
+        request.setState(state);
+        return this;
+    }
+
+    public OpenIdConnectAuthenticateRequestBuilder nonce(String nonce) {
+        request.setNonce(nonce);
+        return this;
+    }
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.unit.TimeValue;
+
+import java.io.IOException;
+
+public class OpenIdConnectAuthenticateResponse extends ActionResponse {
+    private String principal;
+    private String accessTokenString;
+    private String refreshTokenString;
+    private TimeValue expiresIn;
+
+    public OpenIdConnectAuthenticateResponse(String principal, String accessTokenString, String refreshTokenString, TimeValue expiresIn) {
+        this.principal = principal;
+        this.accessTokenString = accessTokenString;
+        this.refreshTokenString = refreshTokenString;
+        this.expiresIn = expiresIn;
+    }
+
+    public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException {
+        super.readFrom(in);
+        principal = in.readString();
+        accessTokenString = in.readString();
+        refreshTokenString = in.readString();
+        expiresIn = in.readTimeValue();
+    }
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+    public String getAccessTokenString() {
+        return accessTokenString;
+    }
+
+    public String getRefreshTokenString() {
+        return refreshTokenString;
+    }
+
+    public TimeValue getExpiresIn() {
+        return expiresIn;
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(principal);
+        out.writeString(accessTokenString);
+        out.writeString(refreshTokenString);
+        out.writeTimeValue(expiresIn);
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationAction.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.Action;
+import org.elasticsearch.common.io.stream.Writeable;
+
+public class OpenIdConnectPrepareAuthenticationAction extends Action<OpenIdConnectPrepareAuthenticationResponse> {
+
+    public static final OpenIdConnectPrepareAuthenticationAction INSTANCE = new OpenIdConnectPrepareAuthenticationAction();
+    public static final String NAME = "cluster:admin/xpack/security/oidc/prepare";
+
+    private OpenIdConnectPrepareAuthenticationAction() {
+        super(NAME);
+    }
+
+    @Override
+    public OpenIdConnectPrepareAuthenticationResponse newResponse() {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public Writeable.Reader<OpenIdConnectPrepareAuthenticationResponse> getResponseReader() {
+        return OpenIdConnectPrepareAuthenticationResponse::new;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationRequest.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+/**
+ * Represents a request to prepare an OAuth 2.0 authorization request
+ */
+public class OpenIdConnectPrepareAuthenticationRequest extends ActionRequest {
+
+    private String realmName;
+
+    public String getRealmName() {
+        return realmName;
+    }
+
+    public void setRealmName(String realmName) {
+        this.realmName = realmName;
+    }
+
+    public OpenIdConnectPrepareAuthenticationRequest() {
+    }
+
+    public OpenIdConnectPrepareAuthenticationRequest(StreamInput in) throws IOException {
+        super.readFrom(in);
+        realmName = in.readString();
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.hasText(realmName) == false) {
+            validationException = addValidationError("realm name must be provided", null);
+        }
+        return validationException;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(realmName);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    public String toString() {
+        return "{realmName=" + realmName + "}";
+    }
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationRequestBuilder.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.client.ElasticsearchClient;
+
+/**
+ * Request builder for populating a {@link OpenIdConnectPrepareAuthenticationRequest}
+ */
+public class OpenIdConnectPrepareAuthenticationRequestBuilder
+    extends ActionRequestBuilder<OpenIdConnectPrepareAuthenticationRequest, OpenIdConnectPrepareAuthenticationResponse> {
+
+    public OpenIdConnectPrepareAuthenticationRequestBuilder(ElasticsearchClient client) {
+        super(client, OpenIdConnectPrepareAuthenticationAction.INSTANCE, new OpenIdConnectPrepareAuthenticationRequest());
+    }
+
+    public OpenIdConnectPrepareAuthenticationRequestBuilder realmName(String name) {
+        request.setRealmName(name);
+        return this;
+    }
+}