Skip to content

Commit

Permalink
Add an OpenID Connect authentication realm (elastic#40674)
Browse files Browse the repository at this point in the history 
This commit adds an OpenID Connect authentication realm to
elasticsearch. Elasticsearch (with the assistance of kibana or
another web component) acts as an OpenID Connect Relying
Party and supports the Authorization Code Grant and Implicit
flows as described in http://ela.st/oidc-spec. It adds support
for consuming and verifying signed ID Tokens, both RP
initiated and 3rd party initiated Single Sign on and RP
initiated signle logout.
It also adds an OpenID Connect Provider in the idp-fixture to
be used for the associated integration tests.

The code in this commit has been tracked in a feature branch
and has been previously reviewed and approved in :

elastic#37009
elastic#37787
elastic#38474
elastic#38475
elastic#40262
  • Loading branch information
@jkakavas
jkakavas authored and Gurkan Kaymak committed May 27, 2019
1 parent 1eb4cc7 commit 572d64f
Show file tree
Hide file tree
Showing 69 changed files with 7,229 additions and 10 deletions.
32 changes: 32 additions & 0 deletions ...va/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateAction.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.Action;
import org.elasticsearch.common.io.stream.Writeable;

/**
* Action for initiating an authentication process using OpenID Connect
*/
public final class OpenIdConnectAuthenticateAction extends Action<OpenIdConnectAuthenticateResponse> {

public static final OpenIdConnectAuthenticateAction INSTANCE = new OpenIdConnectAuthenticateAction();
public static final String NAME = "cluster:admin/xpack/security/oidc/authenticate";

private OpenIdConnectAuthenticateAction() {
super(NAME);
}

@Override
public OpenIdConnectAuthenticateResponse newResponse() {
throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
}

@Override
public Writeable.Reader<OpenIdConnectAuthenticateResponse> getResponseReader() {
return OpenIdConnectAuthenticateResponse::new;
}
}
108 changes: 108 additions & 0 deletions ...a/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;

import java.io.IOException;

import static org.elasticsearch.action.ValidateActions.addValidationError;

/**
* Represents a request for authentication using OpenID Connect
*/
public class OpenIdConnectAuthenticateRequest extends ActionRequest {

/**
* The URI where the OP redirected the browser after the authentication attempt. This is passed as is from the
* facilitator entity (i.e. Kibana)
*/
private String redirectUri;

/**
* The state value that we generated or the facilitator provided for this specific flow and that should be stored at the user's session
* with the facilitator
*/
private String state;

/**
* The nonce value that we generated or the facilitator provided for this specific flow and that should be stored at the user's session
* with the facilitator
*/
private String nonce;

public OpenIdConnectAuthenticateRequest() {

}

public OpenIdConnectAuthenticateRequest(StreamInput in) throws IOException {
super.readFrom(in);
redirectUri = in.readString();
state = in.readString();
nonce = in.readString();
}

public String getRedirectUri() {
return redirectUri;
}

public void setRedirectUri(String redirectUri) {
this.redirectUri = redirectUri;
}

public String getState() {
return state;
}

public void setState(String state) {
this.state = state;
}

public String getNonce() {
return nonce;
}

public void setNonce(String nonce) {
this.nonce = nonce;
}

@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = null;
if (Strings.isNullOrEmpty(state)) {
validationException = addValidationError("state parameter is missing", validationException);
}
if (Strings.isNullOrEmpty(nonce)) {
validationException = addValidationError("nonce parameter is missing", validationException);
}
if (Strings.isNullOrEmpty(redirectUri)) {
validationException = addValidationError("redirect_uri parameter is missing", validationException);
}
return validationException;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(redirectUri);
out.writeString(state);
out.writeString(nonce);
}

@Override
public void readFrom(StreamInput in) {
throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
}

public String toString() {
return "{redirectUri=" + redirectUri + ", state=" + state + ", nonce=" + nonce + "}";
}
}

36 changes: 36 additions & 0 deletions ...lasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequestBuilder.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.ActionRequestBuilder;
import org.elasticsearch.client.ElasticsearchClient;

/**
* Request builder for populating a {@link OpenIdConnectAuthenticateRequest}
*/
public class OpenIdConnectAuthenticateRequestBuilder
extends ActionRequestBuilder<OpenIdConnectAuthenticateRequest, OpenIdConnectAuthenticateResponse> {

public OpenIdConnectAuthenticateRequestBuilder(ElasticsearchClient client) {
super(client, OpenIdConnectAuthenticateAction.INSTANCE, new OpenIdConnectAuthenticateRequest());
}

public OpenIdConnectAuthenticateRequestBuilder redirectUri(String redirectUri) {
request.setRedirectUri(redirectUri);
return this;
}

public OpenIdConnectAuthenticateRequestBuilder state(String state) {
request.setState(state);
return this;
}

public OpenIdConnectAuthenticateRequestBuilder nonce(String nonce) {
request.setNonce(nonce);
return this;
}

}
65 changes: 65 additions & 0 deletions .../org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.unit.TimeValue;

import java.io.IOException;

public class OpenIdConnectAuthenticateResponse extends ActionResponse {
private String principal;
private String accessTokenString;
private String refreshTokenString;
private TimeValue expiresIn;

public OpenIdConnectAuthenticateResponse(String principal, String accessTokenString, String refreshTokenString, TimeValue expiresIn) {
this.principal = principal;
this.accessTokenString = accessTokenString;
this.refreshTokenString = refreshTokenString;
this.expiresIn = expiresIn;
}

public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException {
super.readFrom(in);
principal = in.readString();
accessTokenString = in.readString();
refreshTokenString = in.readString();
expiresIn = in.readTimeValue();
}

public String getPrincipal() {
return principal;
}

public String getAccessTokenString() {
return accessTokenString;
}

public String getRefreshTokenString() {
return refreshTokenString;
}

public TimeValue getExpiresIn() {
return expiresIn;
}

@Override
public void readFrom(StreamInput in) {
throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(principal);
out.writeString(accessTokenString);
out.writeString(refreshTokenString);
out.writeTimeValue(expiresIn);
}
}
29 changes: 29 additions & 0 deletions ...ain/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutAction.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.Action;
import org.elasticsearch.common.io.stream.Writeable;

public class OpenIdConnectLogoutAction extends Action<OpenIdConnectLogoutResponse> {

public static final OpenIdConnectLogoutAction INSTANCE = new OpenIdConnectLogoutAction();
public static final String NAME = "cluster:admin/xpack/security/oidc/logout";

private OpenIdConnectLogoutAction() {
super(NAME);
}

@Override
public OpenIdConnectLogoutResponse newResponse() {
throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
}

@Override
public Writeable.Reader<OpenIdConnectLogoutResponse> getResponseReader() {
return OpenIdConnectLogoutResponse::new;
}
}
71 changes: 71 additions & 0 deletions ...in/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutRequest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;

import java.io.IOException;

import static org.elasticsearch.action.ValidateActions.addValidationError;

public final class OpenIdConnectLogoutRequest extends ActionRequest {

private String token;
@Nullable
private String refreshToken;

public OpenIdConnectLogoutRequest() {

}

public OpenIdConnectLogoutRequest(StreamInput in) throws IOException {
super.readFrom(in);
token = in.readString();
refreshToken = in.readOptionalString();
}

@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = null;
if (Strings.isNullOrEmpty(token)) {
validationException = addValidationError("token is missing", validationException);
}
return validationException;
}

public String getToken() {
return token;
}

public void setToken(String token) {
this.token = token;
}

public String getRefreshToken() {
return refreshToken;
}

public void setRefreshToken(String refreshToken) {
this.refreshToken = refreshToken;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(token);
out.writeOptionalString(refreshToken);
}

@Override
public void readFrom(StreamInput in) {
throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
}
}
45 changes: 45 additions & 0 deletions ...n/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectLogoutResponse.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.oidc;

import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;

import java.io.IOException;

public final class OpenIdConnectLogoutResponse extends ActionResponse {

private String endSessionUrl;

public OpenIdConnectLogoutResponse(StreamInput in) throws IOException {
super.readFrom(in);
this.endSessionUrl = in.readString();
}

public OpenIdConnectLogoutResponse(String endSessionUrl) {
this.endSessionUrl = endSessionUrl;
}

@Override
public void readFrom(StreamInput in) {
throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(endSessionUrl);
}

public String toString() {
return "{endSessionUrl=" + endSessionUrl + "}";
}

public String getEndSessionUrl() {
return endSessionUrl;
}
}
Loading

0 comments on commit 572d64f

Please sign in to comment.