This change adds realm name of the realm used to perform authenticati…

…on to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves elastic#53161
BigPandaToo · Nov 12, 2020 · e87b60e · e87b60e
1 parent 819d4f1
commit e87b60e
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 17 deletions.
diff --git a/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc
@@ -83,8 +83,7 @@ and the refresh token:
   "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
   "type" : "Bearer",
   "expires_in" : 1200,
-  "refresh_token": "vLBPvmAB6KvwvJZr27cS",
-  "realm_name": "oidc1"
+  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
 }
 --------------------------------------------------
 // NOTCONSOLE
diff --git a/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc b/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc
@@ -137,7 +137,7 @@ the Authentication Request, as HTTP GET parameters:
   "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
-  "realm_name" : "oidc1"
+  "realm" : "oidc1"
 }
 --------------------------------------------------
 // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]

diff --git a/.../org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java b/.../org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java
@@ -19,16 +19,14 @@ public class OpenIdConnectAuthenticateResponse extends ActionResponse {
     private String accessTokenString;
     private String refreshTokenString;
     private TimeValue expiresIn;
-    private String realmName;
     private Authentication authentication;
 
     public OpenIdConnectAuthenticateResponse(Authentication authentication, String accessTokenString, String refreshTokenString,
-                                             TimeValue expiresIn, String realmName) {
+                                             TimeValue expiresIn) {
         this.principal = authentication.getUser().principal();;
         this.accessTokenString = accessTokenString;
         this.refreshTokenString = refreshTokenString;
         this.expiresIn = expiresIn;
-        this.realmName = realmName;
         this.authentication = authentication;
     }
 
@@ -39,7 +37,6 @@ public OpenIdConnectAuthenticateResponse(StreamInput in) throws IOException {
         refreshTokenString = in.readString();
         expiresIn = in.readTimeValue();
         if (in.getVersion().onOrAfter(Version.V_7_11_0)) {
-            realmName = in.readString();
             authentication = new Authentication(in);
         }
     }
@@ -60,8 +57,6 @@ public TimeValue getExpiresIn() {
         return expiresIn;
     }
 
-    public String getRealmName() { return realmName; }
-
     public Authentication getAuthentication() { return authentication; }
 
     @Override
@@ -71,7 +66,6 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeString(refreshTokenString);
         out.writeTimeValue(expiresIn);
         if (out.getVersion().onOrAfter(Version.V_7_11_0)) {
-            out.writeString(realmName);
             authentication.writeTo(out);
         }
     }

diff --git a/...ticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java b/...ticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationResponse.java
@@ -89,7 +89,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
         builder.field("state", state);
         builder.field("nonce", nonce);
         if(realmName != null){
-            builder.field("realm_name", realmName);
+            builder.field("realm", realmName);
         }
         builder.endObject();
         return builder;

diff --git a/...rg/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java b/...rg/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java
@@ -75,7 +75,7 @@ protected void doExecute(Task task, OpenIdConnectAuthenticateRequest request,
                         ActionListener.wrap(tokenResult -> {
                             final TimeValue expiresIn = tokenService.getExpirationDelay();
                             listener.onResponse(new OpenIdConnectAuthenticateResponse(authentication, tokenResult.getAccessToken(),
-                                tokenResult.getRefreshToken(), expiresIn, authentication.getAuthenticatedBy().getName()));
+                                tokenResult.getRefreshToken(), expiresIn));
                         }, listener::onFailure));
                 }, e -> {
                     logger.debug(() -> new ParameterizedMessage("OpenIDConnectToken [{}] could not be authenticated", token), e);

diff --git a/...rg/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java b/...rg/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java
@@ -70,9 +70,6 @@ public RestResponse buildResponse(OpenIdConnectAuthenticateResponse response, XC
                         builder.field("access_token", response.getAccessTokenString());
                         builder.field("refresh_token", response.getRefreshTokenString());
                         builder.field("expires_in", response.getExpiresIn().seconds());
-                        if(response.getRealmName() != null){
-                            builder.field("realm_name", response.getRealmName());
-                        }
                         if(response.getAuthentication() != null) {
                             builder.field("authentication", response.getAuthentication());
                         }

diff --git a/...-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java b/...-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java
@@ -420,7 +420,7 @@ private Tuple<String, String> completeAuthentication(String redirectUri, String
             logger.info(" OpenIDConnect authentication response {}", responseBody);
             assertNotNull(responseBody.get("access_token"));
             assertNotNull(responseBody.get("refresh_token"));
-            assertNotNull(responseBody.get("realm_name"));
+            assertNotNull(responseBody.get("realm"));
             assertNotNull(responseBody.get("authentication"));
             assertEquals("alice", ((Map)responseBody.get("authentication")).get("username"));
             return Tuple.tuple(responseBody.get("access_token").toString(), responseBody.get("refresh_token").toString());
@@ -518,11 +518,13 @@ class PrepareAuthResponse {
         private URI authUri;
         private String state;
         private String nonce;
+        private String realm;
 
-        PrepareAuthResponse(URI authUri, String state, String nonce, @Nullable String realm) {
+        PrepareAuthResponse(URI authUri, String state, String nonce, String realm) {
             this.authUri = authUri;
             this.state = state;
             this.nonce = nonce;
+            this.realm = realm;
         }
 
         URI getAuthUri() {
@@ -537,5 +539,7 @@ String getNonce() {
             return nonce;
         }
 
+        String getRealm() { return realm; }
+
     }
 }