From 355869eaec9a6ed42caac493cd65ff17fc8f8024 Mon Sep 17 00:00:00 2001 From: BigPandaToo Date: Wed, 11 Nov 2020 21:10:33 +0100 Subject: [PATCH 1/4] This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 --- .../security/oidc-authenticate-api.asciidoc | 5 ++-- .../oidc-prepare-authentication-api.asciidoc | 19 ++++++++------- .../OpenIdConnectAuthenticateResponse.java | 8 ++++++- ...dConnectPrepareAuthenticationResponse.java | 24 +++++++++++++++++-- ...nsportOpenIdConnectAuthenticateAction.java | 2 +- .../authc/oidc/OpenIdConnectRealm.java | 2 +- .../RestOpenIdConnectAuthenticateAction.java | 3 +++ .../authc/oidc/OpenIdConnectRealmTests.java | 5 ++++ .../authc/oidc/OpenIdConnectAuthIT.java | 1 + 9 files changed, 54 insertions(+), 15 deletions(-) diff --git a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc index 14d0f2cf7023d..a62cc428d9023 100644 --- a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc @@ -58,7 +58,7 @@ be used to authenticate this. Useful when multiple realms have been defined. The following example request exchanges the response that was returned from the OpenID Connect Provider after a successful authentication, for an {es} access -token and refresh token to be used in subsequent requests. This example is from +token and refresh token to be used in subsequent requests. This example is from an authentication that uses the authorization code grant flow. [source,console] @@ -83,7 +83,8 @@ and the refresh token: "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==", "type" : "Bearer", "expires_in" : 1200, - "refresh_token": "vLBPvmAB6KvwvJZr27cS" + "refresh_token": "vLBPvmAB6KvwvJZr27cS", + "realm_name": "oidc1" } -------------------------------------------------- // NOTCONSOLE diff --git a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc index 424ed51742f8f..5559bd25acb69 100644 --- a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc @@ -3,7 +3,7 @@ === OpenID Connect Prepare Authentication API Creates an oAuth 2.0 authentication request as a URL string based on the -configuration of the respective OpenID Connect authentication realm in {es}. +configuration of the respective OpenID Connect authentication realm in {es}. [[security-api-oidc-prepare-authentication-request]] ==== {api-request-title} @@ -16,13 +16,13 @@ configuration of the respective OpenID Connect authentication realm in {es}. [[security-api-oidc-prepare-authentication-desc]] ==== {api-description-title} -The response of this API is a URL pointing to the Authorization Endpoint of the -configured OpenID Connect Provider and can be used to redirect the browser of +The response of this API is a URL pointing to the Authorization Endpoint of the +configured OpenID Connect Provider and can be used to redirect the browser of the user in order to continue the authentication process. {es} exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by {kib} in order to provide -OpenID Connect based authentication, but can also be used by other, custom web +OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. See also <> and <>. @@ -81,7 +81,8 @@ the Authentication Request, as HTTP GET parameters: { "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp", "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I", - "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM" + "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM", + "realm_name" : "oidc1" } -------------------------------------------------- // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/] @@ -109,7 +110,8 @@ the Authentication Request, as HTTP GET parameters: { "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp", "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO", - "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5" + "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5", + "realm_name" : "oidc1" } -------------------------------------------------- @@ -134,8 +136,9 @@ the Authentication Request, as HTTP GET parameters: { "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp", "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I", - "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM" + "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM", + "realm_name" : "oidc1" } -------------------------------------------------- // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/] -// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/] \ No newline at end of file +// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java index ae7e1eeaf9158..1783baa66d9dd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java @@ -19,14 +19,16 @@ public class OpenIdConnectAuthenticateResponse extends ActionResponse { private String accessTokenString; private String refreshTokenString; private TimeValue expiresIn; + private String realmName; private Authentication authentication; public OpenIdConnectAuthenticateResponse(Authentication authentication, String accessTokenString, String refreshTokenString, - TimeValue expiresIn) { + TimeValue expiresIn, String realmName) { this.principal = authentication.getUser().principal();; this.accessTokenString = accessTokenString; this.refreshTokenString = refreshTokenString; this.expiresIn = expiresIn; + this.realmName = realmName; this.authentication = authentication; } @@ -37,6 +39,7 @@ public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException { refreshTokenString = in.readString(); expiresIn = in.readTimeValue(); if (in.getVersion().onOrAfter(Version.V_7_11_0)) { + realmName = in.readString(); authentication = new Authentication(in); } } @@ -57,6 +60,8 @@ public TimeValue getExpiresIn() { return expiresIn; } + public String getRealmName() { return realmName; } + public Authentication getAuthentication() { return authentication; } @Override @@ -66,6 +71,7 @@ public void writeTo(StreamOutput out) throws IOException { out.writeString(refreshTokenString); out.writeTimeValue(expiresIn); if (out.getVersion().onOrAfter(Version.V_7_11_0)) { + out.writeString(realmName); authentication.writeTo(out); } } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java index 34ccabaf0c297..b1fa91d0b6c5d 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.core.security.action.oidc; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionResponse; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.io.stream.StreamOutput; @@ -28,11 +29,16 @@ public class OpenIdConnectPrepareAuthenticationResponse extends ActionResponse i * String value used to associate a Client session with an ID Token, and to mitigate replay attacks. */ private String nonce; + /* + * String value: name of the realm used to perform authentication. + */ + private String realmName; - public OpenIdConnectPrepareAuthenticationResponse(String authorizationEndpointUrl, String state, String nonce) { + public OpenIdConnectPrepareAuthenticationResponse(String authorizationEndpointUrl, String state, String nonce, String realmName) { this.authenticationRequestUrl = authorizationEndpointUrl; this.state = state; this.nonce = nonce; + this.realmName = realmName; } public OpenIdConnectPrepareAuthenticationResponse(StreamInput in) throws IOException { @@ -40,6 +46,9 @@ public OpenIdConnectPrepareAuthenticationResponse(StreamInput in) throws IOExcep authenticationRequestUrl = in.readString(); state = in.readString(); nonce = in.readString(); + if (in.getVersion().onOrAfter(Version.V_7_11_0)) { + realmName = in.readString(); + } } public String getAuthenticationRequestUrl() { @@ -54,15 +63,23 @@ public String getNonce() { return nonce; } + public String getRealmName() { + return realmName; + } + @Override public void writeTo(StreamOutput out) throws IOException { out.writeString(authenticationRequestUrl); out.writeString(state); out.writeString(nonce); + if (out.getVersion().onOrAfter(Version.V_7_11_0)) { + out.writeString(realmName); + } } public String toString() { - return "{authenticationRequestUrl=" + authenticationRequestUrl + ", state=" + state + ", nonce=" + nonce + "}"; + return "{authenticationRequestUrl=" + authenticationRequestUrl + ", state=" + state + ", nonce=" + + nonce + ", realmName" + realmName + "}"; } @Override @@ -71,6 +88,9 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws builder.field("redirect", authenticationRequestUrl); builder.field("state", state); builder.field("nonce", nonce); + if(realmName != null){ + builder.field("realm_name", realmName); + } builder.endObject(); return builder; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java index 5e73fc387a8d2..fc2c2758b44e9 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java @@ -75,7 +75,7 @@ protected void doExecute(Task task, OpenIdConnectAuthenticateRequest request, ActionListener.wrap(tokenResult -> { final TimeValue expiresIn = tokenService.getExpirationDelay(); listener.onResponse(new OpenIdConnectAuthenticateResponse(authentication, tokenResult.getAccessToken(), - tokenResult.getRefreshToken(), expiresIn)); + tokenResult.getRefreshToken(), expiresIn, authentication.getAuthenticatedBy().getName())); }, listener::onFailure)); }, e -> { logger.debug(() -> new ParameterizedMessage("OpenIDConnectToken [{}] could not be authenticated", token), e); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java index 2fbdf57ca05fe..e00f466457f94 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java @@ -363,7 +363,7 @@ public OpenIdConnectPrepareAuthenticationResponse buildAuthenticationRequestUri( builder.loginHint(loginHint); } return new OpenIdConnectPrepareAuthenticationResponse(builder.build().toURI().toString(), - state.getValue(), nonce.getValue()); + state.getValue(), nonce.getValue(), this.name()); } public boolean isIssuerValid(String issuer) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java index e96702deee4db..d95a00af5af37 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java @@ -70,6 +70,9 @@ public RestResponse buildResponse(OpenIdConnectAuthenticateResponse response, XC builder.field("access_token", response.getAccessTokenString()); builder.field("refresh_token", response.getRefreshTokenString()); builder.field("expires_in", response.getExpiresIn().seconds()); + if(response.getRealmName() != null){ + builder.field("realm_name", response.getRealmName()); + } if(response.getAuthentication() != null) { builder.field("authentication", response.getAuthentication()); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index 1f8c291e20005..9db84ca89b3c3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -269,6 +269,7 @@ public void testBuildRelyingPartyConfigWithoutOpenIdScope() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=scope1+scope2+openid&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuildingAuthenticationRequest() { @@ -292,6 +293,7 @@ public void testBuildingAuthenticationRequest() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid+scope1+scope2&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuilidingAuthenticationRequestWithDefaultScope() { @@ -313,6 +315,7 @@ public void testBuilidingAuthenticationRequestWithDefaultScope() { final String nonce = response.getNonce(); assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuildLogoutResponse() throws Exception { @@ -370,6 +373,7 @@ public void testBuildingAuthenticationRequestWithExistingStateAndNonce() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid&response_type=code" + "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } public void testBuildingAuthenticationRequestWithLoginHint() { @@ -394,6 +398,7 @@ public void testBuildingAuthenticationRequestWithLoginHint() { assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?login_hint=" + thehint + "&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my")); + assertThat(response.getRealmName(), equalTo(REALM_NAME)); } private AuthenticationResult authenticateWithOidc(String principal, UserRoleMapper roleMapper, boolean notPopulateMetadata, diff --git a/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java b/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java index 094ba6ee5ecd7..1398fffdb79a5 100644 --- a/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java +++ b/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java @@ -420,6 +420,7 @@ private Tuple completeAuthentication(String redirectUri, String logger.info(" OpenIDConnect authentication response {}", responseBody); assertNotNull(responseBody.get("access_token")); assertNotNull(responseBody.get("refresh_token")); + assertNotNull(responseBody.get("realm_name")); assertNotNull(responseBody.get("authentication")); assertEquals("alice", ((Map)responseBody.get("authentication")).get("username")); return Tuple.tuple(responseBody.get("access_token").toString(), responseBody.get("refresh_token").toString()); From e87b60e143b229c6333b4a2b9f0bb9f00c73c4ad Mon Sep 17 00:00:00 2001 From: BigPandaToo Date: Thu, 12 Nov 2020 21:48:37 +0100 Subject: [PATCH 2/4] This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 --- .../en/rest-api/security/oidc-authenticate-api.asciidoc | 3 +-- .../security/oidc-prepare-authentication-api.asciidoc | 2 +- .../action/oidc/OpenIdConnectAuthenticateResponse.java | 8 +------- .../oidc/OpenIdConnectPrepareAuthenticationResponse.java | 2 +- .../oidc/TransportOpenIdConnectAuthenticateAction.java | 2 +- .../action/oidc/RestOpenIdConnectAuthenticateAction.java | 3 --- .../xpack/security/authc/oidc/OpenIdConnectAuthIT.java | 8 ++++++-- 7 files changed, 11 insertions(+), 17 deletions(-) diff --git a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc index a62cc428d9023..49315814e1719 100644 --- a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc @@ -83,8 +83,7 @@ and the refresh token: "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==", "type" : "Bearer", "expires_in" : 1200, - "refresh_token": "vLBPvmAB6KvwvJZr27cS", - "realm_name": "oidc1" + "refresh_token": "vLBPvmAB6KvwvJZr27cS" } -------------------------------------------------- // NOTCONSOLE diff --git a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc index 5559bd25acb69..84cfb6fb6cef4 100644 --- a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc @@ -137,7 +137,7 @@ the Authentication Request, as HTTP GET parameters: "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp", "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I", "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM", - "realm_name" : "oidc1" + "realm" : "oidc1" } -------------------------------------------------- // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java index 1783baa66d9dd..ae7e1eeaf9158 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java @@ -19,16 +19,14 @@ public class OpenIdConnectAuthenticateResponse extends ActionResponse { private String accessTokenString; private String refreshTokenString; private TimeValue expiresIn; - private String realmName; private Authentication authentication; public OpenIdConnectAuthenticateResponse(Authentication authentication, String accessTokenString, String refreshTokenString, - TimeValue expiresIn, String realmName) { + TimeValue expiresIn) { this.principal = authentication.getUser().principal();; this.accessTokenString = accessTokenString; this.refreshTokenString = refreshTokenString; this.expiresIn = expiresIn; - this.realmName = realmName; this.authentication = authentication; } @@ -39,7 +37,6 @@ public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException { refreshTokenString = in.readString(); expiresIn = in.readTimeValue(); if (in.getVersion().onOrAfter(Version.V_7_11_0)) { - realmName = in.readString(); authentication = new Authentication(in); } } @@ -60,8 +57,6 @@ public TimeValue getExpiresIn() { return expiresIn; } - public String getRealmName() { return realmName; } - public Authentication getAuthentication() { return authentication; } @Override @@ -71,7 +66,6 @@ public void writeTo(StreamOutput out) throws IOException { out.writeString(refreshTokenString); out.writeTimeValue(expiresIn); if (out.getVersion().onOrAfter(Version.V_7_11_0)) { - out.writeString(realmName); authentication.writeTo(out); } } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java index b1fa91d0b6c5d..a4462eac4099b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java @@ -89,7 +89,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws builder.field("state", state); builder.field("nonce", nonce); if(realmName != null){ - builder.field("realm_name", realmName); + builder.field("realm", realmName); } builder.endObject(); return builder; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java index fc2c2758b44e9..5e73fc387a8d2 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java @@ -75,7 +75,7 @@ protected void doExecute(Task task, OpenIdConnectAuthenticateRequest request, ActionListener.wrap(tokenResult -> { final TimeValue expiresIn = tokenService.getExpirationDelay(); listener.onResponse(new OpenIdConnectAuthenticateResponse(authentication, tokenResult.getAccessToken(), - tokenResult.getRefreshToken(), expiresIn, authentication.getAuthenticatedBy().getName())); + tokenResult.getRefreshToken(), expiresIn)); }, listener::onFailure)); }, e -> { logger.debug(() -> new ParameterizedMessage("OpenIDConnectToken [{}] could not be authenticated", token), e); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java index d95a00af5af37..e96702deee4db 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java @@ -70,9 +70,6 @@ public RestResponse buildResponse(OpenIdConnectAuthenticateResponse response, XC builder.field("access_token", response.getAccessTokenString()); builder.field("refresh_token", response.getRefreshTokenString()); builder.field("expires_in", response.getExpiresIn().seconds()); - if(response.getRealmName() != null){ - builder.field("realm_name", response.getRealmName()); - } if(response.getAuthentication() != null) { builder.field("authentication", response.getAuthentication()); } diff --git a/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java b/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java index 1398fffdb79a5..2d437468105cb 100644 --- a/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java +++ b/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java @@ -420,7 +420,7 @@ private Tuple completeAuthentication(String redirectUri, String logger.info(" OpenIDConnect authentication response {}", responseBody); assertNotNull(responseBody.get("access_token")); assertNotNull(responseBody.get("refresh_token")); - assertNotNull(responseBody.get("realm_name")); + assertNotNull(responseBody.get("realm")); assertNotNull(responseBody.get("authentication")); assertEquals("alice", ((Map)responseBody.get("authentication")).get("username")); return Tuple.tuple(responseBody.get("access_token").toString(), responseBody.get("refresh_token").toString()); @@ -518,11 +518,13 @@ class PrepareAuthResponse { private URI authUri; private String state; private String nonce; + private String realm; - PrepareAuthResponse(URI authUri, String state, String nonce, @Nullable String realm) { + PrepareAuthResponse(URI authUri, String state, String nonce, String realm) { this.authUri = authUri; this.state = state; this.nonce = nonce; + this.realm = realm; } URI getAuthUri() { @@ -537,5 +539,7 @@ String getNonce() { return nonce; } + String getRealm() { return realm; } + } } From 8bacf63d735945446e854e9effb9de8817ac293b Mon Sep 17 00:00:00 2001 From: BigPandaToo Date: Sun, 15 Nov 2020 18:53:02 +0100 Subject: [PATCH 3/4] This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 --- .../security/oidc-prepare-authentication-api.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc index 84cfb6fb6cef4..e4cb6b05d5534 100644 --- a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc +++ b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc @@ -82,7 +82,7 @@ the Authentication Request, as HTTP GET parameters: "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp", "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I", "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM", - "realm_name" : "oidc1" + "realm" : "oidc1" } -------------------------------------------------- // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/] @@ -111,7 +111,7 @@ the Authentication Request, as HTTP GET parameters: "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp", "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO", "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5", - "realm_name" : "oidc1" + "realm" : "oidc1" } -------------------------------------------------- From f4a2d764276f172e4fa34d0bfccd4595fb17ecc5 Mon Sep 17 00:00:00 2001 From: BigPandaToo Date: Mon, 16 Nov 2020 18:00:58 +0100 Subject: [PATCH 4/4] This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 --- .../xpack/security/authc/oidc/OpenIdConnectAuthIT.java | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java b/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java index 2d437468105cb..094ba6ee5ecd7 100644 --- a/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java +++ b/x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java @@ -420,7 +420,6 @@ private Tuple completeAuthentication(String redirectUri, String logger.info(" OpenIDConnect authentication response {}", responseBody); assertNotNull(responseBody.get("access_token")); assertNotNull(responseBody.get("refresh_token")); - assertNotNull(responseBody.get("realm")); assertNotNull(responseBody.get("authentication")); assertEquals("alice", ((Map)responseBody.get("authentication")).get("username")); return Tuple.tuple(responseBody.get("access_token").toString(), responseBody.get("refresh_token").toString()); @@ -518,13 +517,11 @@ class PrepareAuthResponse { private URI authUri; private String state; private String nonce; - private String realm; - PrepareAuthResponse(URI authUri, String state, String nonce, String realm) { + PrepareAuthResponse(URI authUri, String state, String nonce, @Nullable String realm) { this.authUri = authUri; this.state = state; this.nonce = nonce; - this.realm = realm; } URI getAuthUri() { @@ -539,7 +536,5 @@ String getNonce() { return nonce; } - String getRealm() { return realm; } - } }