Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID Connect realm guide #41423

Merged
merged 20 commits into from
May 20, 2019
Merged

OpenID Connect realm guide #41423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
4ee9a44
Add an OIDC realm guide
jkakavas Apr 18, 2019
cf114d4
Merge remote-tracking branch 'origin/master' into oidc-guide-doc
jkakavas Apr 22, 2019
30ab623
mute doc tests
jkakavas Apr 22, 2019
23d006a
SAML->OIDC
jkakavas Apr 22, 2019
3e73e73
correct typo in command
jkakavas Apr 23, 2019
448028d
Address feedback
jkakavas Apr 24, 2019
0f659df
Address feedback
jkakavas May 8, 2019
cff33b0
fix doc tests
jkakavas May 8, 2019
13ae0d2
Merge remote-tracking branch 'origin/master' into oidc-guide-doc
jkakavas May 8, 2019
d3803cb
Remove op.name config from docs test cluster
jkakavas May 8, 2019
09e86d3
Expect the correct exception for malformed tokens since we can't comp…
jkakavas May 8, 2019
f4ae9fe
[DOCS] Fixes links
lcawl May 8, 2019
f92a01d
[DOCS] Fixes OpenID API section
lcawl May 8, 2019
99d35b9
Update x-pack/docs/en/security/authentication/oidc-guide.asciidoc
jkakavas May 11, 2019
139a41c
Update x-pack/docs/en/security/authentication/oidc-guide.asciidoc
jkakavas May 11, 2019
107ef46
Update x-pack/docs/en/security/authentication/oidc-guide.asciidoc
jkakavas May 11, 2019
0ce4cd9
Apply suggestions from code review
jkakavas May 16, 2019
4ab07df
Merge remote-tracking branch 'origin/master' into oidc-guide-doc
jkakavas May 18, 2019
9947dc4
Address feedback, note that implicit flow is not supported by kibana yet
jkakavas May 20, 2019
b4cf4bd
Merge remote-tracking branch 'origin/master' into oidc-guide-doc
jkakavas May 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions x-pack/docs/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ File xpackResources = new File(xpackProject('plugin').projectDir, 'src/test/reso
project.copyRestSpec.from(xpackResources) {
include 'rest-api-spec/api/**'
}
File jwks = new File(xpackProject('test:idp-fixture').projectDir, 'oidc/op-jwks.json')
integTestCluster {
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.authc.api_key.enabled', 'true'
Expand All @@ -81,9 +82,22 @@ integTestCluster {
setting 'xpack.monitoring.exporters._local.type', 'local'
setting 'xpack.monitoring.exporters._local.enabled', 'false'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.authc.realms.file.file.order', '0'
setting 'xpack.security.authc.realms.native.native.order', '1'
setting 'xpack.security.authc.realms.oidc.oidc1.order', '2'
setting 'xpack.security.authc.realms.oidc.oidc1.op.issuer', 'http://127.0.0.1:8080'
setting 'xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint', "http://127.0.0.1:8080/c2id-login"
setting 'xpack.security.authc.realms.oidc.oidc1.op.token_endpoint', "http://127.0.0.1:8080/c2id/token"
setting 'xpack.security.authc.realms.oidc.oidc1.op.jwkset_path', 'op-jwks.json'
setting 'xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri', 'https://my.fantastic.rp/cb'
setting 'xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'elasticsearch-rp'
keystoreSetting 'xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'b07efb7a1cf6ec9462afe7b6d3ab55c6c7880262aa61ac28dded292aca47c9a2'
setting 'xpack.security.authc.realms.oidc.oidc1.rp.response_type', 'id_token'
setting 'xpack.security.authc.realms.oidc.oidc1.claims.principal', 'sub'
setupCommand 'setupTestAdmin',
'bin/elasticsearch-users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
waitCondition = waitWithAuth
extraConfigFile 'op-jwks.json', jwks
}


Expand Down
4 changes: 3 additions & 1 deletion x-pack/docs/en/rest-api/security.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ native realm:
* <<security-api-enable-user,Enable users>>
* <<security-api-get-user,Get users>>

[float]
[[security-openid-apis]]
=== OpenID Connect

You can use the following APIs to authenticate users against an OpenID Connect
Expand Down Expand Up @@ -110,7 +112,7 @@ include::security/get-users.asciidoc[]
include::security/has-privileges.asciidoc[]
include::security/invalidate-api-keys.asciidoc[]
include::security/invalidate-tokens.asciidoc[]
include::security/ssl.asciidoc[]
include::security/oidc-prepare-authentication-api.asciidoc[]
include::security/oidc-authenticate-api.asciidoc[]
include::security/oidc-logout-api.asciidoc[]
include::security/ssl.asciidoc[]
4 changes: 2 additions & 2 deletions x-pack/docs/en/rest-api/security/authenticate.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@ The following example output provides information about the "rdeniro" user:
"metadata": { },
"enabled": true,
"authentication_realm": {
"name" : "default_file",
"name" : "file",
"type" : "file"
},
"lookup_realm": {
"name" : "default_file",
"name" : "file",
"type" : "file"
}
}
Expand Down
2 changes: 1 addition & 1 deletion x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ POST /_security/oidc/authenticate
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
// TEST[catch:unauthorized]

The following example output contains the access token that was generated in response, the amount of time (in
seconds) that the token expires in, the type, and the refresh token:
Expand Down
2 changes: 1 addition & 1 deletion x-pack/docs/en/rest-api/security/oidc-logout-api.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ POST /_security/oidc/logout
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
// TEST[catch:unauthorized]

The following example output of the response contains the URI pointing to the End Session Endpoint of the
OpenID Connect Provider with all the parameters of the Logout Request, as HTTP GET parameters
Expand Down
20 changes: 9 additions & 11 deletions x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,20 +57,19 @@ POST /_security/oidc/prepare
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]

The following example output of the response contains the URI pointing to the Authorization Endpoint of the
OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters

[source,js]
--------------------------------------------------
{
"redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=0o43gasov3TxMWJOt839",
"redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
jkakavas marked this conversation as resolved.
Show resolved Hide resolved
"state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
"nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
}
--------------------------------------------------
// NOTCONSOLE
// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]

The following example generates an authentication request for the OpenID Connect Realm `oidc1`, where the
values for the state and the nonce have been generated by the client
Expand All @@ -85,20 +84,19 @@ POST /_security/oidc/prepare
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]

The following example output of the response contains the URI pointing to the Authorization Endpoint of the
OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters

[source,js]
--------------------------------------------------
{
"redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839",
"redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp",
"state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
"nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
}
--------------------------------------------------
// NOTCONSOLE
// TESTRESPONSE

The following example generates an authentication request for a 3rd party initiated single sign on, specifying the
issuer that should be used for matching the appropriate OpenID Connect Authentication realm
Expand All @@ -107,22 +105,22 @@ issuer that should be used for matching the appropriate OpenID Connect Authentic
--------------------------------------------------
POST /_security/oidc/prepare
{
"issuer" : "https://op-issuer.org:8800",
"iss" : "http://127.0.0.1:8080",
"login_hint": "this_is_an_opaque_string"
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]

The following example output of the response contains the URI pointing to the Authorization Endpoint of the
OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters

[source,js]
--------------------------------------------------
{
"redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839&login_hint=this_is_an_opaque_string",
"redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
"state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
"nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
}
--------------------------------------------------
// NOTCONSOLE
// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]
Loading