Module org.elasticsearch.security
Class OpenIdConnectRealm
java.lang.Object
org.elasticsearch.xpack.core.security.authc.Realm
org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm
- All Implemented Interfaces:
Closeable,AutoCloseable,Comparable<Realm>,org.elasticsearch.core.Releasable
-
Nested Class Summary
Nested classes/interfaces inherited from class org.elasticsearch.xpack.core.security.authc.Realm
Realm.Factory -
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionOpenIdConnectRealm(RealmConfig config, SSLService sslService, UserRoleMapper roleMapper, ResourceWatcherService watcherService) -
Method Summary
Modifier and TypeMethodDescriptionvoidauthenticate(AuthenticationToken token, ActionListener<AuthenticationResult<User>> listener) buildAuthenticationRequestUri(String existingState, String existingNonce, String loginHint) Creates the URI for an OIDC Authentication Request from the realm configuration using URI Query String Serialization and possibly generates a state parameter and a nonce.buildLogoutResponse(com.nimbusds.jwt.JWT idTokenHint) voidclose()voidinitialize(Iterable<Realm> realms, XPackLicenseState licenseState) booleanisIssuerValid(String issuer) voidlookupUser(String username, ActionListener<User> listener) booleansupports(AuthenticationToken token) token(ThreadContext context) Methods inherited from class org.elasticsearch.xpack.core.security.authc.Realm
compareTo, getAuthenticationFailureHeaders, name, order, realmRef, setRealmRef, toString, type, usageStats
-
Field Details
-
CONTEXT_TOKEN_DATA
- See Also:
-
-
Constructor Details
-
OpenIdConnectRealm
public OpenIdConnectRealm(RealmConfig config, SSLService sslService, UserRoleMapper roleMapper, ResourceWatcherService watcherService)
-
-
Method Details
-
initialize
- Overrides:
initializein classRealm
-
supports
-
token
-
authenticate
public void authenticate(AuthenticationToken token, ActionListener<AuthenticationResult<User>> listener) - Specified by:
authenticatein classRealm
-
lookupUser
- Specified by:
lookupUserin classRealm
-
buildAuthenticationRequestUri
public OpenIdConnectPrepareAuthenticationResponse buildAuthenticationRequestUri(@Nullable String existingState, @Nullable String existingNonce, @Nullable String loginHint) Creates the URI for an OIDC Authentication Request from the realm configuration using URI Query String Serialization and possibly generates a state parameter and a nonce. It then returns the URI, state and nonce encapsulated in aOpenIdConnectPrepareAuthenticationResponse. A facilitator can provide a state and a nonce parameter in two cases:- In case of Kibana, it allows for a better UX by ensuring that all requests to an OpenID Connect Provider within the same browser context (even across tabs) will use the same state and nonce values.
- In case of custom facilitators, the implementer might require/support generating the state parameter in order to tie this to an anti-XSRF token.
- Parameters:
existingState- An existing state that can be reused or null if we need to generate oneexistingNonce- An existing nonce that can be reused or null if we need to generate oneloginHint- A String with a login hint to add to the authentication request in case of a 3rd party initiated login- Returns:
- an
OpenIdConnectPrepareAuthenticationResponse
-
isIssuerValid
-
buildLogoutResponse
-
close
public void close()- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Specified by:
closein interfaceorg.elasticsearch.core.Releasable
-