Skip to content

Commit

Permalink
OpenID Connect realm guide (elastic#41423)
Browse files Browse the repository at this point in the history
This commit adds a configuration guide for the newly introduced
OpenID Connect realm. The guide is similar to the style of the
SAML Guide and shares certain parts where applicable (role mapping)
It also contains a short section on how the realm can be used for
authenticating users without Kibana.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
  • Loading branch information
2 people authored and Gurkan Kaymak committed May 27, 2019
1 parent 0291d61 commit 10cd4cf
Show file tree
Hide file tree
Showing 7 changed files with 679 additions and 16 deletions.
14 changes: 14 additions & 0 deletions x-pack/docs/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ File xpackResources = new File(xpackProject('plugin').projectDir, 'src/test/reso
project.copyRestSpec.from(xpackResources) {
include 'rest-api-spec/api/**'
}
File jwks = new File(xpackProject('test:idp-fixture').projectDir, 'oidc/op-jwks.json')
integTestCluster {
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.authc.api_key.enabled', 'true'
Expand All @@ -81,9 +82,22 @@ integTestCluster {
setting 'xpack.monitoring.exporters._local.type', 'local'
setting 'xpack.monitoring.exporters._local.enabled', 'false'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.authc.realms.file.file.order', '0'
setting 'xpack.security.authc.realms.native.native.order', '1'
setting 'xpack.security.authc.realms.oidc.oidc1.order', '2'
setting 'xpack.security.authc.realms.oidc.oidc1.op.issuer', 'http://127.0.0.1:8080'
setting 'xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint', "http://127.0.0.1:8080/c2id-login"
setting 'xpack.security.authc.realms.oidc.oidc1.op.token_endpoint', "http://127.0.0.1:8080/c2id/token"
setting 'xpack.security.authc.realms.oidc.oidc1.op.jwkset_path', 'op-jwks.json'
setting 'xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri', 'https://my.fantastic.rp/cb'
setting 'xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'elasticsearch-rp'
keystoreSetting 'xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'b07efb7a1cf6ec9462afe7b6d3ab55c6c7880262aa61ac28dded292aca47c9a2'
setting 'xpack.security.authc.realms.oidc.oidc1.rp.response_type', 'id_token'
setting 'xpack.security.authc.realms.oidc.oidc1.claims.principal', 'sub'
setupCommand 'setupTestAdmin',
'bin/elasticsearch-users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
waitCondition = waitWithAuth
extraConfigFile 'op-jwks.json', jwks
}


Expand Down
4 changes: 3 additions & 1 deletion x-pack/docs/en/rest-api/security.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ native realm:
* <<security-api-enable-user,Enable users>>
* <<security-api-get-user,Get users>>

[float]
[[security-openid-apis]]
=== OpenID Connect

You can use the following APIs to authenticate users against an OpenID Connect
Expand Down Expand Up @@ -110,7 +112,7 @@ include::security/get-users.asciidoc[]
include::security/has-privileges.asciidoc[]
include::security/invalidate-api-keys.asciidoc[]
include::security/invalidate-tokens.asciidoc[]
include::security/ssl.asciidoc[]
include::security/oidc-prepare-authentication-api.asciidoc[]
include::security/oidc-authenticate-api.asciidoc[]
include::security/oidc-logout-api.asciidoc[]
include::security/ssl.asciidoc[]
4 changes: 2 additions & 2 deletions x-pack/docs/en/rest-api/security/authenticate.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@ The following example output provides information about the "rdeniro" user:
"metadata": { },
"enabled": true,
"authentication_realm": {
"name" : "default_file",
"name" : "file",
"type" : "file"
},
"lookup_realm": {
"name" : "default_file",
"name" : "file",
"type" : "file"
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ POST /_security/oidc/authenticate
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
// TEST[catch:unauthorized]

The following example output contains the access token that was generated in response, the amount of time (in
seconds) that the token expires in, the type, and the refresh token:
Expand Down
2 changes: 1 addition & 1 deletion x-pack/docs/en/rest-api/security/oidc-logout-api.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ POST /_security/oidc/logout
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
// TEST[catch:unauthorized]

The following example output of the response contains the URI pointing to the End Session Endpoint of the
OpenID Connect Provider with all the parameters of the Logout Request, as HTTP GET parameters
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,20 +57,19 @@ POST /_security/oidc/prepare
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]

The following example output of the response contains the URI pointing to the Authorization Endpoint of the
OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters

[source,js]
--------------------------------------------------
{
"redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=0o43gasov3TxMWJOt839",
"redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
"state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
"nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
}
--------------------------------------------------
// NOTCONSOLE
// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]

The following example generates an authentication request for the OpenID Connect Realm `oidc1`, where the
values for the state and the nonce have been generated by the client
Expand All @@ -85,20 +84,19 @@ POST /_security/oidc/prepare
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]

The following example output of the response contains the URI pointing to the Authorization Endpoint of the
OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters

[source,js]
--------------------------------------------------
{
"redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839",
"redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp",
"state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
"nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
}
--------------------------------------------------
// NOTCONSOLE
// TESTRESPONSE

The following example generates an authentication request for a 3rd party initiated single sign on, specifying the
issuer that should be used for matching the appropriate OpenID Connect Authentication realm
Expand All @@ -107,22 +105,22 @@ issuer that should be used for matching the appropriate OpenID Connect Authentic
--------------------------------------------------
POST /_security/oidc/prepare
{
"issuer" : "https://op-issuer.org:8800",
"iss" : "http://127.0.0.1:8080",
"login_hint": "this_is_an_opaque_string"
}
--------------------------------------------------
// CONSOLE
// TEST[skip:These are properly tested in the OpenIDConnectIT suite]

The following example output of the response contains the URI pointing to the Authorization Endpoint of the
OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters

[source,js]
--------------------------------------------------
{
"redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839&login_hint=this_is_an_opaque_string",
"redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
"state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
"nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
}
--------------------------------------------------
// NOTCONSOLE
// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]
Loading

0 comments on commit 10cd4cf

Please sign in to comment.