|
|
@@ -12,22 +12,24 @@ between the _client_ that is connecting to {es}, and the _user_ on whose behalf
|
|
|
the request should run. The JWT authenticates the user, and a separate credential
|
|
|
authenticates the client.
|
|
|
|
|
|
-The JWT realm is designed to cater for the following two scenarios:
|
|
|
-
|
|
|
-1. An application authenticates and identifies a user with an authentication flow, e.g.
|
|
|
-OpenID Connect (OIDC), and then accesses {es} on behalf of the authenticated user.
|
|
|
-A common scenario for JWTs is when an existing application uses
|
|
|
-2. An application itself goes through an authentication flow, e.g. OAuth2 Client Credentials
|
|
|
-Flow, and then accesses {es} for itself.
|
|
|
-
|
|
|
-In both scenarios, the application should present a JWT to {es} that represents either the user (scenario 1)
|
|
|
-or itself (scenario 2). {es} categorizes the JWT into two types, ID Token and Access token,
|
|
|
-and validates them accordingly. The ID Token type basically follows the OIDC specification.
|
|
|
-The access token type is similar to the ID Token type, but with more relaxed rules which makes it
|
|
|
-suitable for loosely-defined JWTs, including self-signed ones.
|
|
|
-Tokens of both types must contain the following 5 pieces of information. While ID Tokens follow
|
|
|
-strict rules on which claim should provide each piece of the information,
|
|
|
-access tokens allow certain configurable options.
|
|
|
+The JWT realm supports two token types, `id_token` (the default) and `access_token`.
|
|
|
+They are designed to work for the following two scenarios, respectively:
|
|
|
+
|
|
|
+1. `id_token` - An application authenticates and identifies a user with an authentication flow,
|
|
|
+e.g. OpenID Connect (OIDC), and then accesses {es} on behalf of the authenticated user using
|
|
|
+a JSON Web Token (JWT) conforming to OIDC ID Token specification.
|
|
|
+2. `access_token` - An application accesses {es} using its own identity, encoded as a JWT,
|
|
|
+e.g. The application authenticates itself to a central identity platform using an
|
|
|
+OAuth2 Client Credentials Flow and then uses the resulting JWT-based access token to connect to {es}.
|
|
|
+
|
|
|
+NOTE: A single JWT realm can only work with a single token type. To handle both token types,
|
|
|
+you must configure at least two JWT realms. You should choose the token type carefully based
|
|
|
+on the use case because it impacts on how validations are performed.
|
|
|
+
|
|
|
+The JWT realm validates the incoming JWT based on its configured token type.
|
|
|
+JSON Web Tokens (JWT) of both types must contain the following 5 pieces of information.
|
|
|
+While ID Tokens, based on the OIDC specification, have strict rules for what claims should provide these information,
|
|
|
+access tokens allow some claims to be configurable.
|
|
|
|
|
|
[cols="3",frame=all]
|
|
|
|====
|
|
|
@@ -43,18 +45,17 @@ h| Information | ID Token | Access Token
|
|
|
In addition, {es} also validates `nbf` and `auth_time` claims for ID Tokens if these claims are present.
|
|
|
But these claims are ignored for access tokens.
|
|
|
|
|
|
-A single JWT realm can only work with a single token type. The default token
|
|
|
-type is `id_token`. To handle both token types, you must configure at least
|
|
|
-two JWT realms.
|
|
|
+Overall, the access token type has more relaxed validation rules and is suitable for more generic JWTs,
|
|
|
+including self-signed ones.
|
|
|
|
|
|
[[jwt-realm-oidc]]
|
|
|
-==== JWT from OIDC workflows
|
|
|
+==== ID Tokens from OIDC workflows
|
|
|
JWT authentication in {es} is derived from OIDC user workflows, where different
|
|
|
-tokens can be issued by an OIDC Provider (OP), including ID Tokens and access
|
|
|
-tokens. ID Tokens are well-defined JWT and should be always compatible with
|
|
|
-what JWT realm supports. Access tokens can be arbitrary in theory. For them to
|
|
|
-be usable with JWT realm, they must at least use the JWT format and satisfy
|
|
|
-relevant requirements in the above table.
|
|
|
+tokens can be issued by an OIDC Provider (OP), including ID Tokens.
|
|
|
+ID Tokens from an OIDC provider are well-defined JSON Web Tokens (JWT) and should be always compatible with
|
|
|
+a JWT realm of the `id_token` token type. The subject claim of an ID token represents the end-user.
|
|
|
+This means that ID tokens will generally have many allowed subjects.
|
|
|
+Therefore, a JWT realm of `id_token` token type does _not_ mandate the `allowed_subjects` validation.
|
|
|
|
|
|
NOTE: Because JWTs are obtained external to {es}, you can define a custom workflow
|
|
|
instead of using the OIDC workflow. However, the JWT format must still be JSON
|
|
|
@@ -65,8 +66,23 @@ ID token validation rules.
|
|
|
use case where {es} can act as an OIDC RP. The OIDC realm is the only supported
|
|
|
way to enable OIDC authentication in {kib}.
|
|
|
|
|
|
-TIP: The JWT realm is compatible with the <<run-as-privilege,`run_as`>> feature.
|
|
|
-See also <<jwt-realm-runas>>.
|
|
|
+TIP: Users authenticating with a JWT realm can optionally impersonate another user
|
|
|
+with the <<run-as-privilege,`run_as`>> feature. See also <<jwt-realm-runas>>.
|
|
|
+
|
|
|
+[[jwt-realm-oauth2]]
|
|
|
+==== Access Tokens
|
|
|
+A common method to obtain access tokens is with the OAuth2 Client Credentials Flow.
|
|
|
+A typical usage of this flow is for an application to get a credential for itself.
|
|
|
+This is the use case that the `access_token` token type is designed for.
|
|
|
+It is likely that this application also obtains ID Tokens for its end-users.
|
|
|
+To prevent end-user ID Tokens being used to authenticate with the JWT realm configured
|
|
|
+for the application, we mandate `allowed_subjects` validation when a JWT realm
|
|
|
+has token type `access_token`.
|
|
|
+
|
|
|
+NOTE: Not every access token is formatted as a JSON Web Token (JWT).
|
|
|
+For it to be compatible with the JWT realm, it must at least use the JWT format and satisfies
|
|
|
+relevant requirements in the above table.
|
|
|
+
|
|
|
|
|
|
[[jwt-realm-configuration]]
|
|
|
==== Configure {es} to use a JWT realm
|
|
|
@@ -284,18 +300,20 @@ creation (`iat`), not before (`nbf`), and expiration times (`exp`).
|
|
|
be an exact, case-sensitive match to the value in the `allowed_issuer` setting.
|
|
|
|
|
|
`sub`::
|
|
|
-(Required, String) Indicates the subject that the ID token is created for.
|
|
|
+(Required*, String) Indicates the subject that the ID token is created for.
|
|
|
+If the JWT realm is of the `id_token` type, this claim is mandatory.
|
|
|
A JWT realm of the `id_token` type by defaults accepts all subjects.
|
|
|
-A JWT realm of the `access_token` type can specify a fallback claim that will
|
|
|
-be used in place where the `sub` claim does not exist. Such JWT realm
|
|
|
-must also specify the `allowed_subjects` setting and the subject value
|
|
|
+A JWT realm of the access_token type must specify the `allowed_subjects` setting and the subject value
|
|
|
must be an exact, case-sensitive match to any of the CSV values in the
|
|
|
-`allowed_subjects` setting.
|
|
|
+allowed_subjects setting.
|
|
|
+A JWT realm of the access_token type can specify a fallback claim that will
|
|
|
+be used in place where the `sub` claim does not exist.
|
|
|
|
|
|
`aud`::
|
|
|
-(Required, String) Indicates the audiences that the ID token is for, expressed as a
|
|
|
+(Required*, String) Indicates the audiences that the ID token is for, expressed as a
|
|
|
comma-separated value (CSV). One of the values must be an exact, case-sensitive
|
|
|
match to any of the CSV values in the `allowed_audiences` setting.
|
|
|
+If the JWT realm is of the `id_token` type, this claim is mandatory.
|
|
|
A JWT realm of the `access_token` type can specify a fallback claim that will
|
|
|
be used in place where the `aud` claim does not exist.
|
|
|
|
Yang Wang