OIDC realm authentication flows

[jkakavas]

Adds implementation for authentication in the OIDC realm using the authorization code grant and the implicit flows as described in https://openid.net/specs/openid-connect-core-1_0.html

TODO: Tests Most unit tests are added here, IT will be on its own PR.

Documentation will be handled in a different PR.

Better late than never, the flow diagrams for the implicit flow in https://drive.google.com/open?id=1FF9LltN7qBUdGO98zLfCB8R55WQc1spL might help with the review

[elasticmachine]

Pinging @elastic/es-security

[albertzaharovits]

I believe this should be async.

[jaymode]

I think we'll need to put some more work in unfortunately to prevent blocking of network threads. Authentication will typically happen on a network thread and operations on a network thread should be non-blocking otherwise there is the potential to make a node unresponsive.

[jaymode]

as @albertzaharovits mentioned already, we need to make this asynchronous. We have a few options:

1. fork to the generic threadpool and execute this blocking call there
2. add HTTPRequest#send as a forbidden api, add http-asyncclient as a dependency and use it to execute asynchronously.

I'm in favor of option 2 even though it is more work. It feels more like the right thing to do.

[jkakavas]

I went with option 2. Do you think it's necessary to add the HTTPRequest#send as a forbidden API?

[jaymode]

Yeah I do think we should. The reason being that it might not be obvious to someone else that it should not be used

[jaymode]

If we want to use this, we need to fork to a different threadpool as they expect a synchronous resolution or go async to retrieve the content ourselves and then use JWKSet.parse on the returned body content

[albertzaharovits]

I think we would have to do some caching to not reach out for JWKSet for each new authn. For that matter I think it's better to let the IDTokenValidator handle its business on a separate thread and not build the IDTokenValidator everytime (make it an instance variable).

[jaymode]

Good point regarding making IDTokenValidator an instance variable. It is thread safe. I do wonder if we should have some sort of built in update mechanism for obtaining the jwkset rather than having the token validator reach out for every auth.

[jkakavas]

I moved IDTokenValidator an instance variable and since it's thread safe I think we'll be fine. WDYT ?
It won't reach out for the jwkset on each authn, as there is a simple built in caching mechanism. It will only reach out again, in case it receives a JWT that carries a kid in its Header that the IDTokenValidator has not seen before ( the use case is OP key rotation )

[jkakavas]

I also added a FileWatcher to make sure that we pick up changes to the JWKSet if it's provided in a local file

[jkakavas]

@elasticmachine test this please

[jkakavas]

@jaymode I'd appreciate a round of 👀

[jaymode]

LGTM. Lets see if @albertzaharovits can also take a final pass

[jaymode]

I think it is easier to read if we catch BadJOSEException separately:

try {
...
} catch (BadJOSEException e) {
    if (shouldRetry && ... ) {

    } else {
        claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));
    }
} catch (com.nimbusds.oauth2.sdk.ParseException | JOSEException e) {
    claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));
}

[jaymode]

can we use new JWKSet() instead of null? Otherwise there is a chance we get a NPE in the get method. If you prefer null, then the get method should be something like:

JWKSet local = this.jwkSet;
if (local != null) {
    return jwkSelector.select(local);
} else {
    return Collections.emptyList();
}

[jkakavas]

I will change it but I think null is fine too because JWKSelector#select explicitly handles it

	/**
	 * Selects the keys from the specified JWK set according to the
	 * matcher's criteria.
	 *
	 * @param jwkSet The JWK set. May be {@code null}.
	 *
	 * @return The selected keys, ordered by their position in the JWK set,
	 *         empty list if none were matched or the JWK is {@code null}.
	 */

[jkakavas]

@elasticmachine run elasticsearch-ci/1

[jkakavas]

@elasticmachine run elasticsearch-ci/2

[jkakavas]

@albertzaharovits I'd appreciate a final round as I have a couple of small PRs I want to open that depend on this one 🙏

[albertzaharovits]

LGTM, This is solid work Ioannis!
I have left a few suggestions, but I don't think another review round is necessary.

[albertzaharovits]

nit:

} else if (claimValueObject instanceof List) {
    values = (List<String>) claimValueObject;
} else {
    throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, setting.getClaim())
         + " expects a claim with String or a String Array value but found a "
         + claimValueObject.getClass().getName());
}

[albertzaharovits]

nit:
As a best practice, I try to put everything that throws in a constructor, first, and any Closeable last (OpenIdConnectAuthenticator).

[albertzaharovits]

nit:
We prefer these static.

[albertzaharovits]

Can you please double check that hostnameVerifier works together with connectionManger. I see they overlap a little.

[jkakavas]

Good catch !!! Setting the connection manager explicitly overrides the SslContext :/

[albertzaharovits]

idTokenValidator should be AtomicReference .

[albertzaharovits]

Can we please, please move this "should retry" check inside a method in idTokenValidator.

And I would leave the messageSigned JWT rejected: Another algorithm expected, or no matching key(s) found out, because I think in the case of the HTTP JWTKeySets the Exception type is enough of a check. If they change the message when we update the library we would blindly loose the ability to rotate keys on OP side.

[jkakavas]

And I would leave the messageSigned JWT rejected: Another algorithm expected, or no matching key(s) found out, because I think in the case of the HTTP JWTKeySets the Exception type is enough of a check. If they change the message when we update the library we would blindly loose the ability to rotate keys on OP side.

Yeap, makes sense.

Can we please, please move this "should retry" check inside a method in idTokenValidator.

You mean extend IDTokenValidator and add the method there or inside a method in idTokenValidator. == inside a method in OpenIdConnectAuthenticator ?.

[albertzaharovits]

if accessToken != null && opConfig.getUserinfoEndpoint() == null we do nothing. I think at least logging should be done. For example if the URL is wrong, getAndCombineUserInfoClaims would throw ElasticsearchSecurityException .

[jkakavas]

accessToken != null && opConfig.getUserinfoEndpoint() == null is a valid case where the OP returned an access token but we haven't configured a userInfoEndpoint in our settings because we are not interested in hitting it ( all necessary claims are in the ID token ). The same goes for accessToken == null && opConfig.getUserinfoEndpoint() != null: We have configured an userinfo endpoint but the OP didn't return an access token (maybe we misconfigured our response type to id_token instead of token id_token, so we can't make a request to the user info endpoint. Logging the latter wouldn't hurt, you're right :)

For example if the URL is wrong, getAndCombineUserInfoClaims would throw ElasticsearchSecurityException .

If the URL is invalid, we would throw on building the realm config. If it is valid but wrong, we would catch that in getAndCombineUserInfoClaims and call onFailure(new ElasticsearchSecurityException("Failed to get claims from the Userinfo Endpoint.",

[jkakavas]

Thanks for the feedback Albert, that was really valuable. I 'll merge this to the feature branch on green CI and we can re-iterate any of the points in the merge of the feature branch to master

[jkakavas]

I keep hitting #36816, I'll try and get this muted before re-invoking the CI

[jkakavas]

@elasticmachine please run elasticsearch-ci/packaging-sample

[jkakavas]

16:07:29 Tests with failures:
16:07:29 
16:07:29   - org.elasticsearch.xpack.monitoring.collector.indices.IndexRecoveryMonitoringDocTests.testToUTC

REPRODUCE WITH: ./gradlew :x-pack:plugin:monitoring:unitTest -Dtests.seed=B110FE213E2190D6 -Dtests.class=org.elasticsearch.xpack.monitoring.collector.indices.IndexRecoveryMonitoringDocTests -Dtests.method="testToUTC" -Dtests.security.manager=true -Dtests.locale=sr-CS -Dtests.timezone=Africa/Lubumbashi -Dcompiler.java=11 -Druntime.java=8

which doesn't reproduce locally, so I'll roll the dice and ask @elasticmachine to run elasticsearch-ci/2 once more

[jkakavas]

@elasticmachine run elasticsearch-ci/2 ?