[Backport 7.x] OpenID Connect realm guide (#42836)

This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mapping) It also contains a short section on how the realm can be used for authenticating users without Kibana. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> Backport of #41423 and #42555
elastic · Jun 4, 2019 · 440ec4d · 440ec4d
1 parent 928f499
commit 440ec4d
Show file tree

Hide file tree

Showing 7 changed files with 714 additions and 16 deletions.
diff --git a/x-pack/docs/build.gradle b/x-pack/docs/build.gradle
@@ -31,13 +31,26 @@ project.copyRestSpec.from(xpackResources) {
 }
 
 testClusters.integTest {
+    extraConfigFile 'op-jwks.json', xpackProject('test:idp-fixture').file("oidc/op-jwks.json")
     setting 'xpack.security.enabled', 'true'
     setting 'xpack.security.authc.api_key.enabled', 'true'
     setting 'xpack.security.authc.token.enabled', 'true'
     // Disable monitoring exporters for the docs tests
     setting 'xpack.monitoring.exporters._local.type', 'local'
     setting 'xpack.monitoring.exporters._local.enabled', 'false'
     setting 'xpack.license.self_generated.type', 'trial'
+    setting 'xpack.security.authc.realms.file.file.order', '0'
+    setting 'xpack.security.authc.realms.native.native.order', '1'
+    setting 'xpack.security.authc.realms.oidc.oidc1.order', '2'
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.issuer', 'http://127.0.0.1:8080'
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint', "http://127.0.0.1:8080/c2id-login"
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.token_endpoint', "http://127.0.0.1:8080/c2id/token"
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.jwkset_path', 'op-jwks.json'
+    setting 'xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri', 'https://my.fantastic.rp/cb'
+    setting 'xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'elasticsearch-rp'
+    keystore 'xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'b07efb7a1cf6ec9462afe7b6d3ab55c6c7880262aa61ac28dded292aca47c9a2'
+    setting 'xpack.security.authc.realms.oidc.oidc1.rp.response_type', 'id_token'
+    setting 'xpack.security.authc.realms.oidc.oidc1.claims.principal', 'sub'
     user username: 'test_admin'
 }
 

diff --git a/x-pack/docs/en/rest-api/security.asciidoc b/x-pack/docs/en/rest-api/security.asciidoc
@@ -76,6 +76,8 @@ native realm:
 * <<security-api-enable-user,Enable users>>
 * <<security-api-get-user,Get users>>
 
+[float]
+[[security-openid-apis]]
 === OpenID Connect
 
 You can use the following APIs to authenticate users against an OpenID Connect
@@ -110,7 +112,7 @@ include::security/get-users.asciidoc[]
 include::security/has-privileges.asciidoc[]
 include::security/invalidate-api-keys.asciidoc[]
 include::security/invalidate-tokens.asciidoc[]
-include::security/ssl.asciidoc[]
 include::security/oidc-prepare-authentication-api.asciidoc[]
 include::security/oidc-authenticate-api.asciidoc[]
 include::security/oidc-logout-api.asciidoc[]
+include::security/ssl.asciidoc[]
diff --git a/x-pack/docs/en/rest-api/security/authenticate.asciidoc b/x-pack/docs/en/rest-api/security/authenticate.asciidoc
@@ -46,11 +46,11 @@ The following example output provides information about the "rdeniro" user:
   "metadata": { },
   "enabled": true,
   "authentication_realm": {
-    "name" : "default_file",
+    "name" : "file",
     "type" : "file"
   },
   "lookup_realm": {
-    "name" : "default_file",
+    "name" : "file",
     "type" : "file"
   }
 }

diff --git a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc
@@ -51,7 +51,7 @@ POST /_security/oidc/authenticate
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
+// TEST[catch:unauthorized]
 
 The following example output contains the access token that was generated in response, the amount of time (in
 seconds) that the token expires in, the type, and the refresh token:

diff --git a/x-pack/docs/en/rest-api/security/oidc-logout-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-logout-api.asciidoc
@@ -39,7 +39,7 @@ POST /_security/oidc/logout
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
+// TEST[catch:unauthorized]
 
 The following example output of the response contains the URI pointing to the End Session Endpoint of the
 OpenID Connect Provider with all the parameters of the Logout Request, as HTTP GET parameters

diff --git a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc
@@ -57,20 +57,19 @@ POST /_security/oidc/prepare
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
-
 The following example output of the response contains the URI pointing to the Authorization Endpoint of the
 OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters
 
 [source,js]
 --------------------------------------------------
 {
-  "redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=0o43gasov3TxMWJOt839",
+  "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
 }
 --------------------------------------------------
-// NOTCONSOLE
+// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
+// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]
 
 The following example generates an authentication request for the OpenID Connect Realm `oidc1`, where the
 values for the state and the nonce have been generated by the client
@@ -85,20 +84,19 @@ POST /_security/oidc/prepare
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
 
 The following example output of the response contains the URI pointing to the Authorization Endpoint of the
 OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters
 
 [source,js]
 --------------------------------------------------
 {
-  "redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839",
+  "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp",
   "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
   "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
 }
 --------------------------------------------------
-// NOTCONSOLE
+// TESTRESPONSE
 
 The following example generates an authentication request for a 3rd party initiated single sign on, specifying the
 issuer that should be used for matching the appropriate OpenID Connect Authentication realm
@@ -107,22 +105,22 @@ issuer that should be used for matching the appropriate OpenID Connect Authentic
 --------------------------------------------------
 POST /_security/oidc/prepare
 {
-  "issuer" : "https://op-issuer.org:8800",
+  "iss" : "http://127.0.0.1:8080",
   "login_hint": "this_is_an_opaque_string"
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
 
 The following example output of the response contains the URI pointing to the Authorization Endpoint of the
 OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters
 
 [source,js]
 --------------------------------------------------
 {
-  "redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839&login_hint=this_is_an_opaque_string",
+  "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
 }
 --------------------------------------------------
-// NOTCONSOLE
+// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
+// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]