Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: dfaec0dbf0
Branches Tags
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
oidc-prepare-authentication-api.asciidoc

oidc-prepare-authentication-api.asciidoc 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 
  1. [role="xpack"]
    2. 

  2. [[security-api-oidc-prepare-authentication]]
    3. 

  3. === OpenID Connect prepare authentication API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>OpenID Connect prepare authentication</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Creates an oAuth 2.0 authentication request as a URL string based on the
    9. 

  9. configuration of the respective OpenID Connect authentication realm in {es}.
    10. 

  10. 

  11. [[security-api-oidc-prepare-authentication-request]]
    12. 

  12. ==== {api-request-title}
    13. 

  13. 

  14. `POST /_security/oidc/prepare`
    15. 

  15. 

  16. //[[security-api-oidc-prepare-authentication-prereqs]]
    17. 

  17. //==== {api-prereq-title}
    18. 

  18. 

  19. [[security-api-oidc-prepare-authentication-desc]]
    20. 

  20. ==== {api-description-title}
    21. 

  21. 

  22. The response of this API is a URL pointing to the Authorization Endpoint of the
    23. 

  23. configured OpenID Connect Provider and can be used to redirect the browser of
    24. 

  24. the user in order to continue the authentication process.
    25. 

  25. 

  26. {es} exposes all the necessary OpenID Connect related functionality via the
    27. 

  27. OpenID Connect APIs. These APIs are used internally by {kib} in order to provide
    28. 

  28. OpenID Connect based authentication, but can also be used by other, custom web
    29. 

  29. applications or other clients. See also
    30. 

  30. <<security-api-oidc-authenticate,OpenID Connect authenticate API>>
    31. 

  31. and <<security-api-oidc-logout,OpenID Connect logout API>>.
    32. 

  32. 

  33. [[security-api-oidc-prepare-authentication-request-body]]
    34. 

  34. ==== {api-request-body-title}
    35. 

  35. 

  36. The following parameters can be specified in the body of the request:
    37. 

  37. 

  38. `realm`::
    39. 

  39.   (Optional, string) The name of the OpenID Connect realm in {es} the configuration of which should
    40. 

  40. be used in order to generate the authentication request. Cannot be specified
    41. 

  41. when `iss` is specified. One of `realm`, `iss` is required.
    42. 

  42. 

  43. `state`::
    44. 

  44.   (Optional, string) Value used to maintain state between the authentication request and the
    45. 

  45. response, typically used as a Cross-Site Request Forgery mitigation. If the
    46. 

  46. caller of the API doesn't provide a value, {es} will generate one with
    47. 

  47. sufficient entropy itself and return it in the response.
    48. 

  48. 

  49. `nonce`::
    50. 

  50.   (Optional, string) Value used to associate a Client session with an ID Token and to mitigate
    51. 

  51. replay attacks. If the caller of the API doesn't provide a value, {es} will
    52. 

  52. generate one with sufficient entropy itself and return it in the response.
    53. 

  53. 

  54. `iss`::
    55. 

  55.   (Optional, string) In the case of a 3rd Party initiated Single Sign On, this is the Issuer
    56. 

  56. Identifier for the OP that the RP is to send the Authentication Request to.
    57. 

  57. Cannot be specified when `realm` is specified. One of `realm`, `iss` is required.
    58. 

  58. 

  59. `login_hint`::
    60. 

  60.   (Optional, string) In the case of a 3rd Party initiated Single Sign On, a string value to be
    61. 

  61. included in the authentication request, as the `login_hint` parameter. This
    62. 

  62. parameter is not valid when `realm` is specified
    63. 

  63. 

  64. 

  65. [[security-api-oidc-prepare-authentication-example]]
    66. 

  66. ==== {api-examples-title}
    67. 

  67. 

  68. The following example generates an authentication request for the OpenID Connect
    69. 

  69. Realm `oidc1`:
    70. 

  70. 

  71. [source,console]
    72. 

  72. --------------------------------------------------
    73. 

  73. POST /_security/oidc/prepare
    74. 

  74. {
    75. 

  75.   "realm" : "oidc1"
    76. 

  76. }
    77. 

  77. --------------------------------------------------
    78. 

  78. 

  79. The following example output of the response contains the URI pointing to the Authorization Endpoint of the OpenID Connect Provider with all the parameters of
    80. 

  80. the Authentication Request, as HTTP GET parameters:
    81. 

  81. 

  82. [source,console-result]
    83. 

  83. --------------------------------------------------
    84. 

  84. {
    85. 

  85.   "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
    86. 

  86.   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
    87. 

  87.   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
    88. 

  88.   "realm" : "oidc1"
    89. 

  89. }
    90. 

  90. --------------------------------------------------
    91. 

  91. // TESTRESPONSE[s/http:.*elasticsearch-rp/\$\{body.redirect\}/]
    92. 

  92. // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
    93. 

  93. // TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]
    94. 

  94. 

  95. The following example generates an authentication request for the OpenID Connect
    96. 

  96. Realm `oidc1`, where the values for the state and the nonce have been generated
    97. 

  97. by the client:
    98. 

  98. 

  99. [source,console]
    100. 

  100. --------------------------------------------------
    101. 

  101. POST /_security/oidc/prepare
    102. 

  102. {
    103. 

  103.   "realm" : "oidc1",
    104. 

  104.   "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
    105. 

  105.   "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
    106. 

  106. }
    107. 

  107. --------------------------------------------------
    108. 

  108. 

  109. The following example output of the response contains the URI pointing to the Authorization Endpoint of the OpenID Connect Provider with all the parameters of
    110. 

  110. the Authentication Request, as HTTP GET parameters:
    111. 

  111. 

  112. [source,console-result]
    113. 

  113. --------------------------------------------------
    114. 

  114. {
    115. 

  115.   "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&client_id=elasticsearch-rp",
    116. 

  116.   "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
    117. 

  117.   "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5",
    118. 

  118.   "realm" : "oidc1"
    119. 

  119. }
    120. 

  120. --------------------------------------------------
    121. 

  121. // TESTRESPONSE[s/http:.*elasticsearch-rp/\$\{body.redirect\}/]
    122. 

  122. 

  123. The following example generates an authentication request for a 3rd party
    124. 

  124. initiated single sign on, specifying the issuer that should be used for matching
    125. 

  125. the appropriate OpenID Connect Authentication realm:
    126. 

  126. 

  127. [source,console]
    128. 

  128. --------------------------------------------------
    129. 

  129. POST /_security/oidc/prepare
    130. 

  130. {
    131. 

  131.   "iss" : "http://127.0.0.1:8080",
    132. 

  132.   "login_hint": "this_is_an_opaque_string"
    133. 

  133. }
    134. 

  134. --------------------------------------------------
    135. 

  135. 

  136. The following example output of the response contains the URI pointing to the Authorization Endpoint of the OpenID Connect Provider with all the parameters of
    137. 

  137. the Authentication Request, as HTTP GET parameters:
    138. 

  138. 

  139. [source,console-result]
    140. 

  140. --------------------------------------------------
    141. 

  141. {
    142. 

  142.   "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&scope=openid&response_type=id_token&redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&client_id=elasticsearch-rp",
    143. 

  143.   "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
    144. 

  144.   "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
    145. 

  145.   "realm" : "oidc1"
    146. 

  146. }
    147. 

  147. --------------------------------------------------
    148. 

  148. // TESTRESPONSE[s/4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I/\$\{body.state\}/]
    149. 

  149. // TESTRESPONSE[s/WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM/\$\{body.nonce\}/]
    150.