[Backport 7.x] OpenID Connect realm guide (#42836)

This commit adds a configuration guide for the newly introduced
OpenID Connect realm. The guide is similar to the style of the
SAML Guide and shares certain parts where applicable (role mapping)
It also contains a short section on how the realm can be used for
authenticating users without Kibana.

Co-Authored-By: Lisa Cawley <[email protected]>

Backport of #41423 and #42555

Author: jkakavas

x-pack/docs/build.gradle

@@ -31,13 +31,26 @@ project.copyRestSpec.from(xpackResources) {
 }
 
 testClusters.integTest {
+    extraConfigFile 'op-jwks.json', xpackProject('test:idp-fixture').file("oidc/op-jwks.json")
     setting 'xpack.security.enabled', 'true'
     setting 'xpack.security.authc.api_key.enabled', 'true'
     setting 'xpack.security.authc.token.enabled', 'true'
     // Disable monitoring exporters for the docs tests
     setting 'xpack.monitoring.exporters._local.type', 'local'
     setting 'xpack.monitoring.exporters._local.enabled', 'false'
     setting 'xpack.license.self_generated.type', 'trial'
+    setting 'xpack.security.authc.realms.file.file.order', '0'
+    setting 'xpack.security.authc.realms.native.native.order', '1'
+    setting 'xpack.security.authc.realms.oidc.oidc1.order', '2'
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.issuer', 'http://127.0.0.1:8080'
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint', "http://127.0.0.1:8080/c2id-login"
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.token_endpoint', "http://127.0.0.1:8080/c2id/token"
+    setting 'xpack.security.authc.realms.oidc.oidc1.op.jwkset_path', 'op-jwks.json'
+    setting 'xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri', 'https://my.fantastic.rp/cb'
+    setting 'xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'elasticsearch-rp'
+    keystore 'xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'b07efb7a1cf6ec9462afe7b6d3ab55c6c7880262aa61ac28dded292aca47c9a2'
+    setting 'xpack.security.authc.realms.oidc.oidc1.rp.response_type', 'id_token'
+    setting 'xpack.security.authc.realms.oidc.oidc1.claims.principal', 'sub'
     user username: 'test_admin'
 }
 

x-pack/docs/en/rest-api/security.asciidoc

@@ -76,6 +76,8 @@ native realm:
 * <<security-api-enable-user,Enable users>>
 * <<security-api-get-user,Get users>>
 
+[float]
+[[security-openid-apis]]
 === OpenID Connect
 
 You can use the following APIs to authenticate users against an OpenID Connect
@@ -110,7 +112,7 @@ include::security/get-users.asciidoc[]
 include::security/has-privileges.asciidoc[]
 include::security/invalidate-api-keys.asciidoc[]
 include::security/invalidate-tokens.asciidoc[]
-include::security/ssl.asciidoc[]
 include::security/oidc-prepare-authentication-api.asciidoc[]
 include::security/oidc-authenticate-api.asciidoc[]
 include::security/oidc-logout-api.asciidoc[]
+include::security/ssl.asciidoc[]

x-pack/docs/en/rest-api/security/authenticate.asciidoc

@@ -46,11 +46,11 @@ The following example output provides information about the "rdeniro" user:
   "metadata": { },
   "enabled": true,
   "authentication_realm": {
-    "name" : "default_file",
+    "name" : "file",
     "type" : "file"
   },
   "lookup_realm": {
-    "name" : "default_file",
+    "name" : "file",
     "type" : "file"
   }
 }

x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc

@@ -51,7 +51,7 @@ POST /_security/oidc/authenticate
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
+// TEST[catch:unauthorized]
 
 The following example output contains the access token that was generated in response, the amount of time (in
 seconds) that the token expires in, the type, and the refresh token:

x-pack/docs/en/rest-api/security/oidc-logout-api.asciidoc

@@ -39,7 +39,7 @@ POST /_security/oidc/logout
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
+// TEST[catch:unauthorized]
 
 The following example output of the response contains the URI pointing to the End Session Endpoint of the
 OpenID Connect Provider with all the parameters of the Logout Request, as HTTP GET parameters

x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc

@@ -57,20 +57,19 @@ POST /_security/oidc/prepare
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
-
 The following example output of the response contains the URI pointing to the Authorization Endpoint of the
 OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters
 
 [source,js]
 --------------------------------------------------
 {
-  "redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=0o43gasov3TxMWJOt839",
+  "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
 }
 --------------------------------------------------
-// NOTCONSOLE
+// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
+// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]
 
 The following example generates an authentication request for the OpenID Connect Realm `oidc1`, where the
 values for the state and the nonce have been generated by the client
@@ -85,20 +84,19 @@ POST /_security/oidc/prepare
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
 
 The following example output of the response contains the URI pointing to the Authorization Endpoint of the
 OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters
 
 [source,js]
 --------------------------------------------------
 {
-  "redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839",
+  "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp",
   "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
   "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
 }
 --------------------------------------------------
-// NOTCONSOLE
+// TESTRESPONSE
 
 The following example generates an authentication request for a 3rd party initiated single sign on, specifying the
 issuer that should be used for matching the appropriate OpenID Connect Authentication realm
@@ -107,22 +105,22 @@ issuer that should be used for matching the appropriate OpenID Connect Authentic
 --------------------------------------------------
 POST /_security/oidc/prepare
 {
-  "issuer" : "https://op-issuer.org:8800",
+  "iss" : "http://127.0.0.1:8080",
   "login_hint": "this_is_an_opaque_string"
 }
 --------------------------------------------------
 // CONSOLE
-// TEST[skip:These are properly tested in the OpenIDConnectIT suite]
 
 The following example output of the response contains the URI pointing to the Authorization Endpoint of the
 OpenID Connect Provider with all the parameters of the Authentication Request, as HTTP GET parameters
 
 [source,js]
 --------------------------------------------------
 {
-  "redirect" : "https://op-provider.org/login?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%3A5603%2Fkmi%2Fapi%2Fsecurity%2Fv1%2Foidc&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=0o43gasov3TxMWJOt839&login_hint=this_is_an_opaque_string",
+  "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
 }
 --------------------------------------------------
-// NOTCONSOLE
+// TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
+// TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]