Skip to content

Remove unnecessary details logged for OIDC #48746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Nov 13, 2019
Merged

Remove unnecessary details logged for OIDC #48746

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
756f028
Remove unnecessary details logged for OIDC
Oct 21, 2019
07c3302
address review comment
Oct 22, 2019
9b40046
Merge branch 'master' into do-not-log
Oct 23, 2019
e653f6f
Update x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/s…
bizybot Oct 24, 2019
20d04cd
address review comment
Oct 24, 2019
5d96c77
its okay to log Id token, address review comment
Oct 28, 2019
5184c6b
Merge branch 'master' into do-not-log
Oct 28, 2019
c8ded84
remove unused import
Oct 28, 2019
4e2a0d6
Parse the response as a token error response, only when the status is…
jkakavas Oct 31, 2019
c66ecab
Merge branch 'master' into truncate-access-token
elasticmachine Oct 31, 2019
c3893fe
Merge branch 'master' into truncate-access-token
elasticmachine Nov 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 27 additions & 17 deletions ...src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
Expand Down Expand Up @@ -514,29 +515,31 @@ private void handleTokenResponse(HttpResponse httpResponse, ActionListener<Tuple
return;
}
final Charset encoding = encodingHeader == null ? StandardCharsets.UTF_8 : Charsets.toCharset(encodingHeader.getValue());
final String json = EntityUtils.toString(entity, encoding);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Received Token Response from OP with status [{}] and content [{}] ",
httpResponse.getStatusLine().getStatusCode(), json);
}
final OIDCTokenResponse oidcTokenResponse = OIDCTokenResponse.parse(JSONObjectUtils.parse(json));
if (oidcTokenResponse.indicatesSuccess() == false) {
TokenErrorResponse errorResponse = oidcTokenResponse.toErrorResponse();
tokensListener.onFailure(
new ElasticsearchSecurityException("Failed to exchange code for Id Token. Code=[{}], Description=[{}]",
errorResponse.getErrorObject().getCode(), errorResponse.getErrorObject().getDescription()));
final RestStatus responseStatus = RestStatus.fromCode(httpResponse.getStatusLine().getStatusCode());
if (RestStatus.OK != responseStatus) {
final String json = EntityUtils.toString(entity, encoding);
LOGGER.warn("Received Token Response from OP with status [{}] and content [{}]", responseStatus, json);
if (RestStatus.BAD_REQUEST == responseStatus) {
final TokenErrorResponse tokenErrorResponse = TokenErrorResponse.parse(JSONObjectUtils.parse(json));
tokensListener.onFailure(
new ElasticsearchSecurityException("Failed to exchange code for Id Token. Code=[{}], Description=[{}]",
tokenErrorResponse.getErrorObject().getCode(), tokenErrorResponse.getErrorObject().getDescription()));
} else {
tokensListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token"));
}
} else {
OIDCTokenResponse successResponse = oidcTokenResponse.toSuccessResponse();
final OIDCTokens oidcTokens = successResponse.getOIDCTokens();
final OIDCTokenResponse oidcTokenResponse = OIDCTokenResponse.parse(
JSONObjectUtils.parse(EntityUtils.toString(entity, encoding)));
final OIDCTokens oidcTokens = oidcTokenResponse.getOIDCTokens();
final AccessToken accessToken = oidcTokens.getAccessToken();
final JWT idToken = oidcTokens.getIDToken();
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Successfully exchanged code for ID Token: [{}] and Access Token [{}]",
idToken, accessToken);
LOGGER.trace("Successfully exchanged code for ID Token [{}] and Access Token [{}]", idToken,
truncateToken(accessToken.toString()));
}
if (idToken == null) {
tokensListener.onFailure(new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of" +
" the JWT failed."));
tokensListener.onFailure(
new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of the JWT failed."));
return;
}
tokensListener.onResponse(new Tuple<>(accessToken, idToken));
Expand All @@ -548,6 +551,13 @@ private void handleTokenResponse(HttpResponse httpResponse, ActionListener<Tuple
}
}

private static String truncateToken(String input) {
if (Strings.hasText(input) == false || input.length() <= 4) {
return input;
}
return input.substring(0, 2) + "***" + input.substring(input.length() - 2);
}

/**
* Creates a {@link CloseableHttpAsyncClient} that uses a {@link PoolingNHttpClientConnectionManager}
*/
Expand Down