Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OIDC] only perform Token Endpoint Requests for the appropriate realm #45331

Closed
jkakavas opened this issue Aug 8, 2019 · 2 comments
Closed
Assignees
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@jkakavas
Copy link
Member

jkakavas commented Aug 8, 2019

If many OpenID Connect realms are configured for a given Elasticsearch node, upon receiving a request to the _security/oidc/authenticate endpoint with an OIDC authentication response from the OP, we will proceed to attempt and validate that authentication response in all the realms that are configured, in the order defined. In the case that

  1. Many oidc realms are configured
  2. the oidc realm that the user aims to use is not the one with the lower order value
  3. authorization code grant flow is used

Elasticsearch will send out requests to the Token Endpoints of all the OPs that are configured in the realms with lower order. This has the following disadvantages:

  • An extra network round-trip for each defined oidc realm with lower order.
  • Authorization Code leakage as all other OPs get to see an authorization code that is meant for the OP the user wanted to use in this case. There are other mitigating factors in this case:
    • Authorization codes are supposed to be short lived and one use only.
    • OPs should require client authentication for access to the TokenEndpoint.
    • OPs should validate that the code submitted in Token Request, was issued the the
      client that is currently authenticated.

We could accept an optional parameter in the _security/oidc/authenticate API to indicate the realm name that should be used to validate this request.

@jkakavas jkakavas added >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Aug 8, 2019
@jkakavas jkakavas self-assigned this Aug 8, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas
Copy link
Member Author

Resolved by #45767

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Development

No branches or pull requests

2 participants