Add an OpenID Connect authentication realm (#40674) (#41178)

This commit adds an OpenID Connect authentication realm to
elasticsearch. Elasticsearch (with the assistance of kibana or
another web component) acts as an OpenID Connect Relying
Party and supports the Authorization Code Grant and Implicit
flows as described in http://ela.st/oidc-spec. It adds support
for consuming and verifying signed ID Tokens, both RP
initiated and 3rd party initiated Single Sign on and RP
initiated signle logout.
It also adds an OpenID Connect Provider in the idp-fixture to
be used for the associated integration tests.

This is a backport of #40674

Author: jkakavas

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateAction.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.Action;
+import org.elasticsearch.common.io.stream.Writeable;
+
+/**
+ * Action for initiating an authentication process using OpenID Connect
+ */
+public final class OpenIdConnectAuthenticateAction extends Action<OpenIdConnectAuthenticateResponse> {
+
+    public static final OpenIdConnectAuthenticateAction INSTANCE = new OpenIdConnectAuthenticateAction();
+    public static final String NAME = "cluster:admin/xpack/security/oidc/authenticate";
+
+    private OpenIdConnectAuthenticateAction() {
+        super(NAME);
+    }
+
+    @Override
+    public OpenIdConnectAuthenticateResponse newResponse() {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public Writeable.Reader<OpenIdConnectAuthenticateResponse> getResponseReader() {
+        return OpenIdConnectAuthenticateResponse::new;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequest.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+/**
+ * Represents a request for authentication using OpenID Connect
+ */
+public class OpenIdConnectAuthenticateRequest extends ActionRequest {
+
+    /**
+     * The URI where the OP redirected the browser after the authentication attempt. This is passed as is from the
+     * facilitator entity (i.e. Kibana)
+     */
+    private String redirectUri;
+
+    /**
+     * The state value that we generated or the facilitator provided for this specific flow and that should be stored at the user's session
+     * with the facilitator
+     */
+    private String state;
+
+    /**
+     * The nonce value that we generated or the facilitator provided for this specific flow and that should be stored at the user's session
+     * with the facilitator
+     */
+    private String nonce;
+
+    public OpenIdConnectAuthenticateRequest() {
+
+    }
+
+    public OpenIdConnectAuthenticateRequest(StreamInput in) throws IOException {
+        super.readFrom(in);
+        redirectUri = in.readString();
+        state = in.readString();
+        nonce = in.readString();
+    }
+
+    public String getRedirectUri() {
+        return redirectUri;
+    }
+
+    public void setRedirectUri(String redirectUri) {
+        this.redirectUri = redirectUri;
+    }
+
+    public String getState() {
+        return state;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public String getNonce() {
+        return nonce;
+    }
+
+    public void setNonce(String nonce) {
+        this.nonce = nonce;
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(state)) {
+            validationException = addValidationError("state parameter is missing", validationException);
+        }
+        if (Strings.isNullOrEmpty(nonce)) {
+            validationException = addValidationError("nonce parameter is missing", validationException);
+        }
+        if (Strings.isNullOrEmpty(redirectUri)) {
+            validationException = addValidationError("redirect_uri parameter is missing", validationException);
+        }
+        return validationException;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(redirectUri);
+        out.writeString(state);
+        out.writeString(nonce);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    public String toString() {
+        return "{redirectUri=" + redirectUri + ", state=" + state + ", nonce=" + nonce + "}";
+    }
+}
+

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequestBuilder.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.client.ElasticsearchClient;
+
+/**
+ * Request builder for populating a {@link OpenIdConnectAuthenticateRequest}
+ */
+public class OpenIdConnectAuthenticateRequestBuilder
+    extends ActionRequestBuilder<OpenIdConnectAuthenticateRequest, OpenIdConnectAuthenticateResponse> {
+
+    public OpenIdConnectAuthenticateRequestBuilder(ElasticsearchClient client) {
+        super(client, OpenIdConnectAuthenticateAction.INSTANCE, new OpenIdConnectAuthenticateRequest());
+    }
+
+    public OpenIdConnectAuthenticateRequestBuilder redirectUri(String redirectUri) {
+        request.setRedirectUri(redirectUri);
+        return this;
+    }
+
+    public OpenIdConnectAuthenticateRequestBuilder state(String state) {
+        request.setState(state);
+        return this;
+    }
+
+    public OpenIdConnectAuthenticateRequestBuilder nonce(String nonce) {
+        request.setNonce(nonce);
+        return this;
+    }
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.unit.TimeValue;
+
+import java.io.IOException;
+
+public class OpenIdConnectAuthenticateResponse extends ActionResponse {
+    private String principal;
+    private String accessTokenString;
+    private String refreshTokenString;
+    private TimeValue expiresIn;
+
+    public OpenIdConnectAuthenticateResponse(String principal, String accessTokenString, String refreshTokenString, TimeValue expiresIn) {
+        this.principal = principal;
+        this.accessTokenString = accessTokenString;
+        this.refreshTokenString = refreshTokenString;
+        this.expiresIn = expiresIn;
+    }
+
+    public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException {
+        super.readFrom(in);
+        principal = in.readString();
+        accessTokenString = in.readString();
+        refreshTokenString = in.readString();
+        expiresIn = in.readTimeValue();
+    }
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+    public String getAccessTokenString() {
+        return accessTokenString;
+    }
+
+    public String getRefreshTokenString() {
+        return refreshTokenString;
+    }
+
+    public TimeValue getExpiresIn() {
+        return expiresIn;
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(principal);
+        out.writeString(accessTokenString);
+        out.writeString(refreshTokenString);
+        out.writeTimeValue(expiresIn);
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutAction.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.Action;
+import org.elasticsearch.common.io.stream.Writeable;
+
+public class OpenIdConnectLogoutAction extends Action<OpenIdConnectLogoutResponse> {
+
+    public static final OpenIdConnectLogoutAction INSTANCE = new OpenIdConnectLogoutAction();
+    public static final String NAME = "cluster:admin/xpack/security/oidc/logout";
+
+    private OpenIdConnectLogoutAction() {
+        super(NAME);
+    }
+
+    @Override
+    public OpenIdConnectLogoutResponse newResponse() {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public Writeable.Reader<OpenIdConnectLogoutResponse> getResponseReader() {
+        return OpenIdConnectLogoutResponse::new;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutRequest.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+public final class OpenIdConnectLogoutRequest extends ActionRequest {
+
+    private String token;
+    @Nullable
+    private String refreshToken;
+
+    public OpenIdConnectLogoutRequest() {
+
+    }
+
+    public OpenIdConnectLogoutRequest(StreamInput in) throws IOException {
+        super.readFrom(in);
+        token = in.readString();
+        refreshToken = in.readOptionalString();
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(token)) {
+            validationException = addValidationError("token is missing", validationException);
+        }
+        return validationException;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public String getRefreshToken() {
+        return refreshToken;
+    }
+
+    public void setRefreshToken(String refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(token);
+        out.writeOptionalString(refreshToken);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutResponse.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action.oidc;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+public final class OpenIdConnectLogoutResponse extends ActionResponse {
+
+    private String endSessionUrl;
+
+    public OpenIdConnectLogoutResponse(StreamInput in) throws IOException {
+        super.readFrom(in);
+        this.endSessionUrl = in.readString();
+    }
+
+    public OpenIdConnectLogoutResponse(String endSessionUrl) {
+        this.endSessionUrl = endSessionUrl;
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(endSessionUrl);
+    }
+
+    public String toString() {
+        return "{endSessionUrl=" + endSessionUrl + "}";
+    }
+
+    public String getEndSessionUrl() {
+        return endSessionUrl;
+    }
+}