OpenID Connect realm guide #41423
OpenID Connect realm guide #41423
Conversation
This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mappign) It also contains a short section on how the realm can be used for authenticating users without Kibana.
jkakavas
added
>docs
|
Pinging @elastic/es-security |
@elasticmachine please run elasticsearch-ci/packaging-sample |
| - `id_token token` which means that we want to use the Implicit flow and we also request an oAuth2 | ||
| access token from the OP, that we can potentially use for follow up requests ( UserInfo ) | ||
| - `id_token` which means that we want to use the Implicit flow, but are not interested in getting | ||
| an oAuth2 token too. |
There was a problem hiding this comment.
Can we provide any guidance on how to know which one to use?
This seems like the first place where we've fallen into the "you need to understand OIDC in order to configure this", and it would be nice to avoid that.
There was a problem hiding this comment.
I made an attempt at suggesting when to use each
| } | ||
| -------------------------------------------------- | ||
| // CONSOLE | ||
| // TEST[skip:These are properly tested in the OpenIDConnectIT suite] |
There was a problem hiding this comment.
Ideally we wouldn't skip these.
The intent of the docs-snippet testing is not to test the backend functionatlity, but to ensure that the docs content is free of errors, and is kept in sync with the implementation.
When we skip these, we run the risk of the examples being broken (e.g. by changes to the endpoint URL, or the addition of required fields)
There was a problem hiding this comment.
Understood. I'll take care of it
There was a problem hiding this comment.
I enabled tests for prepare and added // TESTRESPONSE[catch:X] for authenticate and logout as there is no easy way to test them here.
In order to get a succesful response from the integTest cluster for authenticate, we'd need to use the implicit flow and introduce code to sign the ID Token in a // TESTSETUP section so that the cluster can consume it. I don't think it's worth the effort, but I can be swayed
x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc
Show resolved
Hide resolved
|
@jkakavas Do you intend this content to be located in the same place as https://www.elastic.co/guide/en/elastic-stack-overview/current/saml-guide.html ? If so, I'll open a PR in stack-docs to pull it in and fix a few inclusions here. |
|
Aha ! I didnt realize that this was opened against the old file. Do we need
to keep both and keep them in sync or should we just keep the new one in
the stack docs? If the former is true then feel free to open the relevant
stack docs PR, otherwise we could finish the review here and then once
approved raise a new pr to the stack docs to pull it in and remove this one
/ close the PR .
|
|
@elasticmachine run elasticsearch-ci/docbldesx |
…lete an authentication in order to get valid tokens in doc tests eitherway
|
I've cleaned up a few documentation issues. The new content will be added to the Stack Overview via elastic/stack-docs#328 At some point I think we'll want to add configuration details to the Elasticsearch Reference too (equivalent to https://www.elastic.co/guide/en/elasticsearch/reference/master/configuring-saml-realm.html). But I think we can do that in a subsequent PR (equivalent to #30548) |
| ==== Register the RP with an OpenID Connect Provider | ||
|
|
||
| The Relying Party ( {es} and the custom web app ) will need to be registered as | ||
| client with the OpenID Connect Provider. Note that when registering the |
There was a problem hiding this comment.
| client with the OpenID Connect Provider. Note that when registering the | |
| a client with the OpenID Connect Provider. Note that when registering the |
There was a problem hiding this comment.
it is actually one client
There was a problem hiding this comment.
OK! I've updated my suggestion
| "delegating" the authentication to the OpenID Connect Provider ). The OpenID Connect | ||
| APIs require authentication and the necessary authorization level for the authenticated | ||
| user. For this reason, a Service Account user needs to be created and assigned a role | ||
| that gives them the `manage_oidc` cluster privilege. The use of the `manage_token` |
There was a problem hiding this comment.
Does this cluster privilege need to be added to https://www.elastic.co/guide/en/elastic-stack-overview/master/security-privileges.html ?
There was a problem hiding this comment.
Thanks, I created elastic/stack-docs#334
Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
|
@tvernum do you want to take another look at this? I've tried to handle your original feedback, let me know what you think |
This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mapping) It also contains a short section on how the realm can be used for authenticating users without Kibana. Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mapping) It also contains a short section on how the realm can be used for authenticating users without Kibana. Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mapping) It also contains a short section on how the realm can be used for authenticating users without Kibana. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> Backport of #41423 and #42555
This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mapping) It also contains a short section on how the realm can be used for authenticating users without Kibana. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> Backport of elastic#41423 and elastic#42555
This commit adds a configuration guide for the newly introduced OpenID Connect realm. The guide is similar to the style of the SAML Guide and shares certain parts where applicable (role mapping) It also contains a short section on how the realm can be used for authenticating users without Kibana. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> Backport of #41423 and #42555
This commit adds a configuration guide for the newly introduced
OpenID Connect realm. The guide is similar to the style of the
SAML Guide and shares certain parts where applicable (role mapping)
It also contains a short section on how the realm can be used for
authenticating users without Kibana.