Allow Transport Actions to indicate authN realm (elastic#45767)

This commit allows the Transport Actions for the SSO realms to
indicate the realm that should be used to authenticate the
constructed AuthenticationToken. This is useful in the case that
many authentication realms of the same type have been configured
and where the caller of the API(Kibana or a custom web app) already
know which realm should be used so there is no need to iterate all
the realms of the same type.
The realm parameter is added in the relevant REST APIs as optional
so as not to introduce any breaking change.

Author: jkakavas

build.gradle

@@ -179,8 +179,8 @@ task verifyVersions {
  * after the backport of the backcompat code is complete.
  */
 
-boolean bwc_tests_enabled = true
-final String bwc_tests_disabled_issue = "" /* place a PR link here when committing bwc changes */
+boolean bwc_tests_enabled = false
+final String bwc_tests_disabled_issue = "https://github.com/elastic/elasticsearch/pull/45767"
 if (bwc_tests_enabled == false) {
   if (bwc_tests_disabled_issue.isEmpty()) {
     throw new GradleException("bwc_tests_disabled_issue must be set when bwc_tests_enabled == false")

x-pack/docs/en/rest-api/security/oidc-authenticate-api.asciidoc

@@ -31,24 +31,28 @@ and <<security-api-oidc-logout,OpenID Connect logout API>>
 ==== {api-request-body-title}
 
 `redirect_uri`::
-The URL to which the OpenID Connect Provider redirected the User Agent in
+  (Required, string) The URL to which the OpenID Connect Provider redirected the User Agent in
 response to an authentication request, after a successful authentication. This
 URL is expected to be provided as-is (URL encoded), taken from the body of the
 response or as the value of a `Location` header in the response from the OpenID
 Connect Provider.
 
 `state`::
-String value used to maintain state between the authentication request and the
+  (Required, string) Used to maintain state between the authentication request and the
 response. This value needs to be the same as the one that was provided to the
 call to `/_security/oidc/prepare` earlier, or the one that was generated by {es}
 and included in the response to that call.
 
 `nonce`::
-String value used to associate a Client session with an ID Token and to mitigate
+  (Required, string) Used to associate a Client session with an ID Token and to mitigate
 replay attacks. This value needs to be the same as the one that was provided to
 the call to `/_security/oidc/prepare` earlier, or the one that was generated by
 {es} and included in the response to that call.
 
+`realm`::
+  (Optional, string) Used to identify the name of the OpenID Connect realm that should
+be used to authenticate this. Useful when multiple realms have been defined.
+
 [[security-api-oidc-authenticate-example]]
 ==== {api-examples-title}
 
@@ -63,7 +67,8 @@ POST /_security/oidc/authenticate
 {
   "redirect_uri" : "https://oidc-kibana.elastic.co:5603/api/security/v1/oidc?code=jtI3Ntt8v3_XvcLzCFGq&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
-  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
+  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
+  "realm" : "oidc1"
 }
 --------------------------------------------------
 // CONSOLE

x-pack/docs/en/rest-api/security/oidc-logout-api.asciidoc

@@ -29,10 +29,10 @@ and
 ==== {api-request-body-title}
 
 `access_token`::
-The value of the access token to be invalidated as part of the logout.
+  (Required, string) The value of the access token to be invalidated as part of the logout.
 
 `refresh_token`::
-(Optional) The value of the refresh token to be invalidated as part of the logout.
+  (Optional, string) The value of the refresh token to be invalidated as part of the logout.
 
 
 [[security-api-oidc-logout-example]]

x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc

@@ -33,28 +33,28 @@ and <<security-api-oidc-logout,OpenID Connect logout API>>.
 The following parameters can be specified in the body of the request:
 
 `realm`::
-The name of the OpenID Connect realm in {es} the configuration of which should 
+  (Optional, string) The name of the OpenID Connect realm in {es} the configuration of which should
 be used in order to generate the authentication request. Cannot be specified
-when `iss` is specified.
+when `iss` is specified. One of `realm`, `iss` is required.
 
 `state`::
-String value used to maintain state between the authentication request and the
+  (Optional, string) Value used to maintain state between the authentication request and the
 response, typically used as a Cross-Site Request Forgery mitigation. If the
 caller of the API doesn't provide a value, {es} will generate one with
 sufficient entropy itself and return it in the response.
 
 `nonce`::
-String value used to associate a Client session with an ID Token and to mitigate
+  (Optional, string) Value used to associate a Client session with an ID Token and to mitigate
 replay attacks. If the caller of the API doesn't provide a value, {es} will
 generate one with sufficient entropy itself and return it in the response.
 
-`issuer`::
-In the case of a 3rd Party initiated Single Sign On, this is the Issuer
+`iss`::
+  (Optional, string) In the case of a 3rd Party initiated Single Sign On, this is the Issuer
 Identifier for the OP that the RP is to send the Authentication Request to.
-Cannot be specified when `realm` is specified.
+Cannot be specified when `realm` is specified. One of `realm`, `iss` is required.
 
 `login_hint`::
-In the case of a 3rd Party initiated Single Sign On, a string value to be
+  (Optional, string) In the case of a 3rd Party initiated Single Sign On, a string value to be
 included in the authentication request, as the `login_hint` parameter. This
 parameter is not valid when `realm` is specified
 

x-pack/docs/en/security/authentication/oidc-guide.asciidoc

@@ -649,7 +649,9 @@ POST /_security/oidc/prepare
   this HTTP GET request, the custom web app will need to make an HTTP POST request to
   `_security/oidc/authenticate`, again - authenticating as the `facilitator` user - passing the URL
   where the user's browser was redirected to, as a parameter, along with the
-  values for `nonce` and `state` it had saved in the user's session previously.
+  values for `nonce` and `state` it had saved in the user's session previously. If more than one
+  OpenID Connect realms are configured, the custom web app can specify the name of the realm to be
+  used for handling this, but this parameter is optional.
   See {ref}/security-api-oidc-authenticate.html[OIDC Authenticate API] for more details
 +
 [source,js]
@@ -658,7 +660,8 @@ POST /_security/oidc/authenticate
 {
   "redirect_uri" : "https://oidc-kibana.elastic.co:5603/api/security/v1/oidc?code=jtI3Ntt8v3_XvcLzCFGq&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
-  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
+  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
+  "realm" : "oidc1"
 }
 -----------------------------------------------------------------------
 // CONSOLE

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateRequest.java

@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.core.security.action.oidc;
 
+import org.elasticsearch.Version;
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.common.Strings;
@@ -38,6 +39,11 @@ public class OpenIdConnectAuthenticateRequest extends ActionRequest {
      */
     private String nonce;
 
+    /**
+     * The name of the OIDC Realm that should consume the authentication request
+     */
+    private String realm;
+
     public OpenIdConnectAuthenticateRequest() {
 
     }
@@ -47,6 +53,10 @@ public OpenIdConnectAuthenticateRequest(StreamInput in) throws IOException {
         redirectUri = in.readString();
         state = in.readString();
         nonce = in.readString();
+        if (in.getVersion().onOrAfter(Version.V_7_4_0)) {
+            realm = in.readOptionalString();
+        }
+
     }
 
     public String getRedirectUri() {
@@ -73,6 +83,14 @@ public void setNonce(String nonce) {
         this.nonce = nonce;
     }
 
+    public String getRealm() {
+        return realm;
+    }
+
+    public void setRealm(String realm) {
+        this.realm = realm;
+    }
+
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException validationException = null;
@@ -94,10 +112,13 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeString(redirectUri);
         out.writeString(state);
         out.writeString(nonce);
+        if (out.getVersion().onOrAfter(Version.V_7_4_0)) {
+            out.writeOptionalString(realm);
+        }
     }
 
     public String toString() {
-        return "{redirectUri=" + redirectUri + ", state=" + state + ", nonce=" + nonce + "}";
+        return "{redirectUri=" + redirectUri + ", state=" + state + ", nonce=" + nonce + ", realm=" +realm+"}";
     }
 }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateRequest.java

@@ -7,6 +7,7 @@
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.io.stream.StreamInput;
 
 import java.io.IOException;
@@ -19,6 +20,8 @@ public final class SamlAuthenticateRequest extends ActionRequest {
 
     private byte[] saml;
     private List<String> validRequestIds;
+    @Nullable
+    private String realm;
 
     public SamlAuthenticateRequest(StreamInput in) throws IOException {
         super(in);
@@ -47,4 +50,12 @@ public List<String> getValidRequestIds() {
     public void setValidRequestIds(List<String> validRequestIds) {
         this.validRequestIds = validRequestIds;
     }
+
+    public String getRealm() {
+        return realm;
+    }
+
+    public void setRealm(String realm) {
+        this.realm = realm;
+    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateRequestBuilder.java

@@ -29,4 +29,9 @@ public SamlAuthenticateRequestBuilder validRequestIds(List<String> validRequestI
         request.setValidRequestIds(validRequestIds);
         return this;
     }
+
+    public SamlAuthenticateRequestBuilder authenticatingRealm(String realm) {
+        request.setRealm(realm);
+        return this;
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.java

@@ -55,7 +55,7 @@ public TransportOpenIdConnectAuthenticateAction(ThreadPool threadPool, Transport
     protected void doExecute(Task task, OpenIdConnectAuthenticateRequest request,
                              ActionListener<OpenIdConnectAuthenticateResponse> listener) {
         final OpenIdConnectToken token = new OpenIdConnectToken(request.getRedirectUri(), new State(request.getState()),
-            new Nonce(request.getNonce()));
+            new Nonce(request.getNonce()), request.getRealm());
         final ThreadContext threadContext = threadPool.getThreadContext();
         Authentication originatingAuthentication = Authentication.getAuthentication(threadContext);
         try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java

@@ -48,7 +48,7 @@ public TransportSamlAuthenticateAction(ThreadPool threadPool, TransportService t
 
     @Override
     protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListener<SamlAuthenticateResponse> listener) {
-        final SamlToken saml = new SamlToken(request.getSaml(), request.getValidRequestIds());
+        final SamlToken saml = new SamlToken(request.getSaml(), request.getValidRequestIds(), request.getRealm());
         logger.trace("Attempting to authenticate SamlToken [{}]", saml);
         final ThreadContext threadContext = threadPool.getThreadContext();
         Authentication originatingAuthentication = Authentication.getAuthentication(threadContext);