OIDC realm authentication flows (#37787)

Adds implementation for authentication in the OpenID Connect
 realm using the authorization code grant and the implicit flows
 as described in https://openid.net/specs/openid-connect-core-1_0.html

Author: jkakavas

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequest.java

@@ -24,14 +24,14 @@ public class OpenIdConnectAuthenticateRequest extends ActionRequest {
     private String redirectUri;
 
     /**
-     * The state value that we generated for this specific flow and that should be stored at the user's session with
-     * the facilitator
+     * The state value that we generated or the facilitator provided for this specific flow and that should be stored at the user's session
+     * with the facilitator
      */
     private String state;
 
     /**
-     * The nonce value that we generated for this specific flow and that should be stored at the user's session with
-     * the facilitator
+     * The nonce value that we generated or the facilitator provided for this specific flow and that should be stored at the user's session
+     * with the facilitator
      */
     private String nonce;
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationRequest.java

@@ -21,21 +21,41 @@
 public class OpenIdConnectPrepareAuthenticationRequest extends ActionRequest {
 
     private String realmName;
+    private String state;
+    private String nonce;
 
     public String getRealmName() {
         return realmName;
     }
 
+    public String getState() {
+        return state;
+    }
+
+    public String getNonce() {
+        return nonce;
+    }
+
     public void setRealmName(String realmName) {
         this.realmName = realmName;
     }
 
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public void setNonce(String nonce) {
+        this.nonce = nonce;
+    }
+
     public OpenIdConnectPrepareAuthenticationRequest() {
     }
 
     public OpenIdConnectPrepareAuthenticationRequest(StreamInput in) throws IOException {
         super.readFrom(in);
         realmName = in.readString();
+        state = in.readOptionalString();
+        nonce = in.readOptionalString();
     }
 
     @Override
@@ -51,6 +71,8 @@ public ActionRequestValidationException validate() {
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeString(realmName);
+        out.writeOptionalString(state);
+        out.writeOptionalString(nonce);
     }
 
     @Override
@@ -59,7 +81,7 @@ public void readFrom(StreamInput in) {
     }
 
     public String toString() {
-        return "{realmName=" + realmName + "}";
+        return "{realmName=" + realmName + ", state=" + state + ", nonce=" + nonce + "}";
     }
 
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java

@@ -74,7 +74,7 @@ public String toString() {
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
         builder.startObject();
-        builder.field("authentication_request_url", authenticationRequestUrl);
+        builder.field("redirect", authenticationRequestUrl);
         builder.field("state", state);
         builder.field("nonce", nonce);
         builder.endObject();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java

@@ -7,10 +7,17 @@
 
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings;
+import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
@@ -22,36 +29,161 @@ public class OpenIdConnectRealmSettings {
     private OpenIdConnectRealmSettings() {
     }
 
+    private static final List<String> signatureAlgorithms = Collections.unmodifiableList(
+        Arrays.asList("HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512"));
+    private static final List<String> responseTypes = Arrays.asList("code", "id_token", "id_token token");
     public static final String TYPE = "oidc";
 
-    public static final Setting.AffixSetting<String> OP_NAME
-        = RealmSettings.simpleString(TYPE, "op.name", Setting.Property.NodeScope);
     public static final Setting.AffixSetting<String> RP_CLIENT_ID
         = RealmSettings.simpleString(TYPE, "rp.client_id", Setting.Property.NodeScope);
     public static final Setting.AffixSetting<SecureString> RP_CLIENT_SECRET
         = RealmSettings.secureString(TYPE, "rp.client_secret");
     public static final Setting.AffixSetting<String> RP_REDIRECT_URI
-        = RealmSettings.simpleString(TYPE, "rp.redirect_uri", Setting.Property.NodeScope);
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.redirect_uri",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> RP_RESPONSE_TYPE
-        = RealmSettings.simpleString(TYPE, "rp.response_type", Setting.Property.NodeScope);
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.response_type",
+        key -> Setting.simpleString(key, v -> {
+            if (responseTypes.contains(v) == false) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Allowed values are " + responseTypes + "");
+            }
+        }, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<String> RP_SIGNATURE_ALGORITHM
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "rp.signature_algorithm",
+        key -> new Setting<>(key, "RS256", Function.identity(), v -> {
+            if (signatureAlgorithms.contains(v) == false) {
+                throw new IllegalArgumentException(
+                    "Invalid value [" + v + "] for [" + key + "]. Allowed values are " + signatureAlgorithms + "}]");
+            }
+        }, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<List<String>> RP_REQUESTED_SCOPES = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE), "rp.requested_scopes",
+        key -> Setting.listSetting(key, Collections.singletonList("openid"), Function.identity(), Setting.Property.NodeScope));
+
+    public static final Setting.AffixSetting<String> OP_NAME
+        = RealmSettings.simpleString(TYPE, "op.name", Setting.Property.NodeScope);
     public static final Setting.AffixSetting<String> OP_AUTHORIZATION_ENDPOINT
-        = RealmSettings.simpleString(TYPE, "op.authorization_endpoint", Setting.Property.NodeScope);
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "op.authorization_endpoint",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> OP_TOKEN_ENDPOINT
-        = RealmSettings.simpleString(TYPE, "op.token_endpoint", Setting.Property.NodeScope);
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "op.token_endpoint",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> OP_USERINFO_ENDPOINT
-        = RealmSettings.simpleString(TYPE, "op.userinfo_endpoint", Setting.Property.NodeScope);
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "op.userinfo_endpoint",
+        key -> Setting.simpleString(key, v -> {
+            try {
+                new URI(v);
+            } catch (URISyntaxException e) {
+                throw new IllegalArgumentException("Invalid value [" + v + "] for [" + key + "]. Not a valid URI.", e);
+            }
+        }, Setting.Property.NodeScope));
     public static final Setting.AffixSetting<String> OP_ISSUER
         = RealmSettings.simpleString(TYPE, "op.issuer", Setting.Property.NodeScope);
-    public static final Setting.AffixSetting<List<String>> RP_REQUESTED_SCOPES = Setting.affixKeySetting(
-        RealmSettings.realmSettingPrefix(TYPE), "rp.requested_scopes",
-        key -> Setting.listSetting(key, Collections.singletonList("openid"), Function.identity(), Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<String> OP_JWKSET_PATH
+        = RealmSettings.simpleString(TYPE, "op.jwkset_path", Setting.Property.NodeScope);
+
+    public static final Setting.AffixSetting<TimeValue> ALLOWED_CLOCK_SKEW
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_clock_skew",
+        key -> Setting.timeSetting(key, TimeValue.timeValueSeconds(60), Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<Boolean> POPULATE_USER_METADATA = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE), "populate_user_metadata",
+        key -> Setting.boolSetting(key, true, Setting.Property.NodeScope));
+    private static final TimeValue DEFAULT_TIMEOUT = TimeValue.timeValueSeconds(5);
+    public static final Setting.AffixSetting<TimeValue> HTTP_CONNECT_TIMEOUT
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.connect_timeout",
+        key -> Setting.timeSetting(key, DEFAULT_TIMEOUT, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<TimeValue> HTTP_CONNECTION_READ_TIMEOUT
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.connection_read_timeout",
+        key -> Setting.timeSetting(key, DEFAULT_TIMEOUT, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<TimeValue> HTTP_SOCKET_TIMEOUT
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.socket_timeout",
+        key -> Setting.timeSetting(key, DEFAULT_TIMEOUT, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<Integer> HTTP_MAX_CONNECTIONS
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.max_connections",
+        key -> Setting.intSetting(key, 200, Setting.Property.NodeScope));
+    public static final Setting.AffixSetting<Integer> HTTP_MAX_ENDPOINT_CONNECTIONS
+        = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.max_endpoint_connections",
+        key -> Setting.intSetting(key, 200, Setting.Property.NodeScope));
+
+    public static final ClaimSetting PRINCIPAL_CLAIM = new ClaimSetting("principal");
+    public static final ClaimSetting GROUPS_CLAIM = new ClaimSetting("groups");
+    public static final ClaimSetting NAME_CLAIM = new ClaimSetting("name");
+    public static final ClaimSetting DN_CLAIM = new ClaimSetting("dn");
+    public static final ClaimSetting MAIL_CLAIM = new ClaimSetting("mail");
 
     public static Set<Setting.AffixSetting<?>> getSettings() {
         final Set<Setting.AffixSetting<?>> set = Sets.newHashSet(
-            OP_NAME, RP_CLIENT_ID, RP_REDIRECT_URI, RP_RESPONSE_TYPE, RP_REQUESTED_SCOPES, RP_CLIENT_SECRET,
-            OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT, OP_ISSUER);
+            RP_CLIENT_ID, RP_REDIRECT_URI, RP_RESPONSE_TYPE, RP_REQUESTED_SCOPES, RP_CLIENT_SECRET, RP_SIGNATURE_ALGORITHM,
+            OP_NAME, OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT, OP_ISSUER, OP_JWKSET_PATH,
+            HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT, HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS,
+            ALLOWED_CLOCK_SKEW);
         set.addAll(DelegatedAuthorizationSettings.getSettings(TYPE));
         set.addAll(RealmSettings.getStandardSettings(TYPE));
+        set.addAll(SSLConfigurationSettings.getRealmSettings(TYPE));
+        set.addAll(PRINCIPAL_CLAIM.settings());
+        set.addAll(GROUPS_CLAIM.settings());
+        set.addAll(DN_CLAIM.settings());
+        set.addAll(NAME_CLAIM.settings());
+        set.addAll(MAIL_CLAIM.settings());
         return set;
     }
+
+    /**
+     * The OIDC realm offers a number of settings that rely on claim values that are populated by the OP in the ID Token or the User Info
+     * response.
+     * Each claim has 2 settings:
+     * <ul>
+     * <li>The name of the OpenID Connect claim to use</li>
+     * <li>An optional java pattern (regex) to apply to that claim value in order to extract the substring that should be used.</li>
+     * </ul>
+     * For example, the Elasticsearch User Principal could be configured to come from the OpenID Connect standard claim "email",
+     * and extract only the local-part of the user's email address (i.e. the name before the '@').
+     * This class encapsulates those 2 settings.
+     */
+    public static final class ClaimSetting {
+        public static final String CLAIMS_PREFIX = "claims.";
+        public static final String CLAIM_PATTERNS_PREFIX = "claim_patterns.";
+
+        private final Setting.AffixSetting<String> claim;
+        private final Setting.AffixSetting<String> pattern;
+
+        public ClaimSetting(String name) {
+            claim = RealmSettings.simpleString(TYPE, CLAIMS_PREFIX + name, Setting.Property.NodeScope);
+            pattern = RealmSettings.simpleString(TYPE, CLAIM_PATTERNS_PREFIX + name, Setting.Property.NodeScope);
+        }
+
+        public Collection<Setting.AffixSetting<?>> settings() {
+            return Arrays.asList(getClaim(), getPattern());
+        }
+
+        public String name(RealmConfig config) {
+            return getClaim().getConcreteSettingForNamespace(config.name()).getKey();
+        }
+
+        public Setting.AffixSetting<String> getClaim() {
+            return claim;
+        }
+
+        public Setting.AffixSetting<String> getPattern() {
+            return pattern;
+        }
+    }
 }

x-pack/plugin/security/build.gradle

@@ -56,6 +56,16 @@ dependencies {
     compile "org.apache.httpcomponents:httpclient-cache:${versions.httpclient}"
     compile 'com.google.guava:guava:19.0'
 
+    // Dependencies for oidc
+    compile "com.nimbusds:oauth2-oidc-sdk:6.5"
+    compile "com.nimbusds:nimbus-jose-jwt:4.41.2"
+    compile "com.nimbusds:lang-tag:1.4.4"
+    compile "com.sun.mail:javax.mail:1.6.2"
+    compile "net.jcip:jcip-annotations:1.0"
+    compile "net.minidev:json-smart:2.3"
+    compile "net.minidev:accessors-smart:1.2"
+
+
     testCompile 'org.elasticsearch:securemock:1.2'
     testCompile "org.elasticsearch:mocksocket:${versions.mocksocket}"
     //testCompile "org.yaml:snakeyaml:${versions.snakeyaml}"
@@ -160,7 +170,7 @@ forbiddenPatterns {
 }
 
 forbiddenApisMain {
-    signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt')
+    signaturesFiles += files('forbidden/ldap-signatures.txt', 'forbidden/xml-signatures.txt', 'forbidden/oidc-signatures.txt')
 }
 
 // classes are missing, e.g. com.ibm.icu.lang.UCharacter
@@ -257,7 +267,13 @@ thirdPartyAudit {
         'net.sf.ehcache.Ehcache',
         'net.sf.ehcache.Element',
         // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
-        'org.slf4j.ext.EventData'
+        'org.slf4j.ext.EventData',
+        'org.cryptomator.siv.SivMode',
+        'org.objectweb.asm.ClassWriter',
+        'org.objectweb.asm.Label',
+        'org.objectweb.asm.MethodVisitor',
+        'org.objectweb.asm.Type'
+
     )
 
     ignoreViolations (
@@ -278,7 +294,13 @@ if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
         'javax.xml.bind.JAXBElement',
         'javax.xml.bind.JAXBException',
         'javax.xml.bind.Unmarshaller',
-        'javax.xml.bind.UnmarshallerHandler'
+        'javax.xml.bind.UnmarshallerHandler', 
+        'javax.activation.ActivationDataFlavor',
+        'javax.activation.DataContentHandler',
+        'javax.activation.DataHandler',
+        'javax.activation.DataSource',
+        'javax.activation.FileDataSource',
+        'javax.activation.FileTypeMap'
     )
 }
 

x-pack/plugin/security/forbidden/oidc-signatures.txt

@@ -0,0 +1,3 @@
+@defaultMessage Blocking methods should not be used for HTTP requests. Use CloseableHttpAsyncClient instead
+com.nimbusds.oauth2.sdk.http.HTTPRequest#send(javax.net.ssl.HostnameVerifier, javax.net.ssl.SSLSocketFactory)
+com.nimbusds.oauth2.sdk.http.HTTPRequest#send()

x-pack/plugin/security/licenses/accessors-smart-1.2.jar.sha1

@@ -0,0 +1 @@
+c592b500269bfde36096641b01238a8350f8aa31