Use external script for the OIDC Implicit flow handler page. #44866
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security |
azasypkin
commented
Sep 5, 2019
| @@ -31,22 +33,30 @@ export default function({ getService }: FtrProviderContext) { | |||
| it('should return an HTML page that will parse URL fragment', async () => { | |||
| const response = await supertest.get('/api/security/v1/oidc/implicit').expect(200); | |||
| const dom = new JSDOM(response.text, { | |||
| url: formatURL({ ...config.get('servers.kibana'), auth: false }), | |||
There was a problem hiding this comment.
note: we need a bit more magic for external script 🙈 But I still like it more than functional tests (even though they would have caught issues with changed CSP I guess, assuming we could reproduce full OIDC flow in the functional test).
azasypkin
commented
Sep 5, 2019
| serverArgs.push( | ||
| 'xpack.security.authc.realms.oidc.oidc1.rp.response_type=id_token token' | ||
| ); | ||
| } else if (!arg.startsWith('xpack.security.authc.realms.oidc.oidc1.op.token_endpoint')) { |
There was a problem hiding this comment.
note: since elastic/elasticsearch#45038 (comment) is merged we can better model OIDC implicit flow config now.
💚 Build Succeeded |
kobelb
approved these changes
Sep 5, 2019
This was referenced Sep 5, 2019
azasypkin
added a commit
to azasypkin/kibana
that referenced
this pull request
Sep 5, 2019
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Sep 6, 2019
…ete-for-distance_feature * 'master' of github.com:elastic/kibana: (89 commits) Replace TSVB timeseries charts with elastic-charts (elastic#33558) [TSVB][Top N aggregation] Unable to deal with negative values (elastic#43581) [alerting] Adds Action Type configuration support and whitelisting (elastic#44483) FTR: fix WebDriver Actions calls (elastic#44605) [Code] add NodeRepositoriesService to watch new repositories on local node (elastic#44677) [skip-ci][Maps] Improve Maps intro page (elastic#44721) [Maps] Update titles and descriptions for data sources (elastic#44833) Types + Extract Integration Util (elastic#44433) Downgrade log level from info to debug for cases when we cannot handle authentication attempt. (elastic#44933) [Reporting] Remove Chome stdout/stderr observables, Add Browser Logger observable (elastic#44359) Update Jest script to output coverage (elastic#44447) [ftr] support --kibana-install-dir flag (elastic#44552) [WATCHER] Allow user to set a threshold value of 0 (elastic#44810) Remove injectI18n in dashboard plugin. (elastic#44580) [Graph] Save modal (elastic#44261) Use external script for the OIDC Implicit flow handler page. (elastic#44866) disable router prefixing with pluginId (elastic#44855) [SIEM] Fix bug on url + inspect functionality on hosts/hostDetails page (elastic#44671) [ML] File data viz limiting uploaded doc chunk size (elastic#44768) [code] Append go env variable 'GOCACHE' to go lsp spawn command. (elastic#44864) ...
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Sep 6, 2019
…plate * 'master' of github.com:elastic/kibana: (91 commits) [APM] Make number of x ticks responsive to the plot width (elastic#44870) [ML] Single metric viewer: Fix top nav refresh behaviour. (elastic#44860) Replace TSVB timeseries charts with elastic-charts (elastic#33558) [TSVB][Top N aggregation] Unable to deal with negative values (elastic#43581) [alerting] Adds Action Type configuration support and whitelisting (elastic#44483) FTR: fix WebDriver Actions calls (elastic#44605) [Code] add NodeRepositoriesService to watch new repositories on local node (elastic#44677) [skip-ci][Maps] Improve Maps intro page (elastic#44721) [Maps] Update titles and descriptions for data sources (elastic#44833) Types + Extract Integration Util (elastic#44433) Downgrade log level from info to debug for cases when we cannot handle authentication attempt. (elastic#44933) [Reporting] Remove Chome stdout/stderr observables, Add Browser Logger observable (elastic#44359) Update Jest script to output coverage (elastic#44447) [ftr] support --kibana-install-dir flag (elastic#44552) [WATCHER] Allow user to set a threshold value of 0 (elastic#44810) Remove injectI18n in dashboard plugin. (elastic#44580) [Graph] Save modal (elastic#44261) Use external script for the OIDC Implicit flow handler page. (elastic#44866) disable router prefixing with pluginId (elastic#44855) [SIEM] Fix bug on url + inspect functionality on hosts/hostDetails page (elastic#44671) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In #43553 we changed our default CSP policy so that it doesn't allow any inline scripts anymore. In this PR we make OIDC Implicit flow handler page compatible with new CSP policy and switch from inline to external script instead.
Fixes: #44668
cc @joshdover