Fix IDP Initiated Authentication for Multiple OIDC Providers (elastic#243869)

Closes elastic#190177

## Summary

Fixes a bug where Authentication does not work when there are multiple
OIDC providers configured.

When OIDC authentication is initiated using the `iss`, ES sends back the
redirect URL and realm configured for that OIDC provider. If the realm
from ES does not match the configured realm in Kibana then the OIDC
provider will now return not handled instead of redirecting the user to
the OIDC redirect URL. This allows the authentication chain to move onto
the second OIDC provider instead of being rejected by the first provider
after being redirected.

## Release Notes

Fixes a bug preventing IDP initiated login with multiple OIDC providers

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: 2 people

.buildkite/ftr_platform_stateful_configs.yml

@@ -310,6 +310,7 @@ enabled:
   - x-pack/platform/test/security_api_integration/oidc_implicit_flow.config.ts
   - x-pack/platform/test/security_api_integration/oidc.config.ts
   - x-pack/platform/test/security_api_integration/oidc.http2.config.ts
+  - x-pack/platform/test/security_api_integration/oidc_multiple_realms.config.ts
   - x-pack/platform/test/security_api_integration/pki.config.ts
   - x-pack/platform/test/security_api_integration/saml.config.ts
   - x-pack/platform/test/security_api_integration/saml.http2.config.ts

x-pack/platform/plugins/shared/security/server/authentication/providers/oidc.test.ts

@@ -65,6 +65,7 @@ describe('OIDCAuthenticationProvider', () => {
       mockOptions.client.asInternalUser.transport.request.mockResolvedValue({
         state: 'statevalue',
         nonce: 'noncevalue',
+        realm: 'oidc1',
         redirect:
           'https://op-host/path/login?response_type=code' +
           '&scope=openid%20profile%20email' +
@@ -113,6 +114,7 @@ describe('OIDCAuthenticationProvider', () => {
       mockOptions.client.asInternalUser.transport.request.mockResolvedValue({
         state: 'statevalue',
         nonce: 'noncevalue',
+        realm: 'oidc1',
         redirect:
           'https://op-host/path/login?response_type=code' +
           '&scope=openid%20profile%20email' +
@@ -154,6 +156,70 @@ describe('OIDCAuthenticationProvider', () => {
       });
     });
 
+    describe('returns "NotHandled" result if ES realm does not match provider', () => {
+      it('when initiated by the User', async () => {
+        const request = httpServerMock.createKibanaRequest();
+
+        mockOptions.client.asInternalUser.transport.request.mockResolvedValue({
+          state: 'statevalue',
+          nonce: 'noncevalue',
+          realm: 'other-realm',
+          redirect:
+            'https://op-host/path/login?response_type=code' +
+            '&scope=openid%20profile%20email' +
+            '&client_id=s6BhdRkqt3' +
+            '&state=statevalue' +
+            '&redirect_uri=https%3A%2F%2Ftest-hostname:1234%2Ftest-base-path%2Fapi%2Fsecurity%2Fv1%2F/oidc' +
+            '&login_hint=loginhint',
+        });
+
+        await expect(
+          provider.login(request, {
+            type: OIDCLogin.LoginInitiatedByUser,
+            redirectURL: '/mock-server-basepath/app/super-kibana#some-hash',
+          })
+        ).resolves.toEqual(AuthenticationResult.notHandled());
+
+        expect(mockOptions.client.asInternalUser.transport.request).toHaveBeenCalledTimes(1);
+        expect(mockOptions.client.asInternalUser.transport.request).toHaveBeenCalledWith({
+          method: 'POST',
+          path: '/_security/oidc/prepare',
+          body: { realm: 'oidc1' },
+        });
+      });
+
+      it('when initiated by 3rd party', async () => {
+        const request = httpServerMock.createKibanaRequest();
+
+        mockOptions.client.asInternalUser.transport.request.mockResolvedValue({
+          state: 'statevalue',
+          nonce: 'noncevalue',
+          realm: 'other-realm',
+          redirect:
+            'https://op-host/path/login?response_type=code' +
+            '&scope=openid%20profile%20email' +
+            '&client_id=s6BhdRkqt3' +
+            '&state=statevalue' +
+            '&redirect_uri=https%3A%2F%2Ftest-hostname:1234%2Ftest-base-path%2Fapi%2Fsecurity%2Fv1%2F/oidc' +
+            '&login_hint=loginhint',
+        });
+
+        await expect(
+          provider.login(request, {
+            type: OIDCLogin.LoginInitiatedBy3rdParty,
+            iss: 'some-issuer',
+          })
+        ).resolves.toEqual(AuthenticationResult.notHandled());
+
+        expect(mockOptions.client.asInternalUser.transport.request).toHaveBeenCalledTimes(1);
+        expect(mockOptions.client.asInternalUser.transport.request).toHaveBeenCalledWith({
+          method: 'POST',
+          path: '/_security/oidc/prepare',
+          body: { iss: 'some-issuer' },
+        });
+      });
+    });
+
     it('fails if OpenID Connect authentication request preparation fails.', async () => {
       const request = httpServerMock.createKibanaRequest();
 
@@ -392,6 +458,7 @@ describe('OIDCAuthenticationProvider', () => {
       mockOptions.client.asInternalUser.transport.request.mockResolvedValue({
         state: 'statevalue',
         nonce: 'noncevalue',
+        realm: 'oidc1',
         redirect:
           'https://op-host/path/login?response_type=code' +
           '&scope=openid%20profile%20email' +

x-pack/platform/plugins/shared/security/server/authentication/providers/oidc.ts

@@ -304,13 +304,21 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider {
       // user usually doesn't have `cluster:admin/xpack/security/oidc/prepare`.
       // We can replace generic `transport.request` with a dedicated API method call once
       // https://github.com/elastic/elasticsearch/issues/67189 is resolved.
-      const { state, nonce, redirect } =
+      const { state, nonce, realm, redirect } =
         (await this.options.client.asInternalUser.transport.request({
           method: 'POST',
           path: '/_security/oidc/prepare',
           body: params,
         })) as any;
 
+      if (realm !== this.realm) {
+        this.logger.debug(
+          `Provider is configured with the "${this.realm}" realm and isn't compatible with the "${realm}" ` +
+            `realm used by Elasticsearch to prepare the authentication request. Skipping provider…`
+        );
+        return AuthenticationResult.notHandled();
+      }
+
       this.logger.debug('Redirecting to OpenID Connect Provider with authentication request.');
       return AuthenticationResult.redirectTo(
         redirect,

x-pack/platform/test/security_api_integration/oidc_multiple_realms.config.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.ts'));
+  const kibanaPort = xPackAPITestsConfig.get('servers.kibana.port');
+  const jwksPath = require.resolve('@kbn/security-api-integration-helpers/oidc/jwks.json');
+  const oidcAPITestsConfig = await readConfigFile(require.resolve('./oidc.config.ts'));
+
+  return {
+    ...oidcAPITestsConfig.getAll(),
+    testFiles: [require.resolve('./tests/oidc/multiple_realms')],
+
+    junit: {
+      reportName: 'X-Pack Security API Integration Tests (OIDC - Multiple OIDC Realms)',
+    },
+
+    esTestCluster: {
+      ...oidcAPITestsConfig.get('esTestCluster'),
+      serverArgs: [
+        ...oidcAPITestsConfig.get('esTestCluster.serverArgs'),
+        'xpack.security.authc.realms.oidc.oidc2.order=1',
+        `xpack.security.authc.realms.oidc.oidc2.rp.client_id=0oa8sqpov3TxMWJOt356`,
+        `xpack.security.authc.realms.oidc.oidc2.rp.client_secret=0oa8sqpov3TxMWJOt356`,
+        `xpack.security.authc.realms.oidc.oidc2.rp.response_type=code`,
+        `xpack.security.authc.realms.oidc.oidc2.rp.redirect_uri=http://localhost:${kibanaPort}/api/security/oidc/callback`,
+        `xpack.security.authc.realms.oidc.oidc2.op.authorization_endpoint=https://test-op-2.elastic.co/oauth2/v1/authorize`,
+        `xpack.security.authc.realms.oidc.oidc2.op.endsession_endpoint=https://test-op-2.elastic.co/oauth2/v1/endsession`,
+        `xpack.security.authc.realms.oidc.oidc2.op.token_endpoint=http://localhost:${kibanaPort}/api/oidc_provider/token_endpoint/${encodeURIComponent(
+          'https://test-op-2.elastic.co'
+        )}`,
+        `xpack.security.authc.realms.oidc.oidc2.op.userinfo_endpoint=http://localhost:${kibanaPort}/api/oidc_provider/userinfo_endpoint`,
+        `xpack.security.authc.realms.oidc.oidc2.op.issuer=https://test-op-2.elastic.co`,
+        `xpack.security.authc.realms.oidc.oidc2.op.jwkset_path=${jwksPath}`,
+        `xpack.security.authc.realms.oidc.oidc2.claims.principal=sub`,
+      ],
+    },
+
+    kbnTestServer: {
+      ...oidcAPITestsConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...oidcAPITestsConfig
+          .get('kbnTestServer.serverArgs')
+          .filter(
+            (arg: string) =>
+              !arg.includes('xpack.security.authProviders') &&
+              !arg.includes('xpack.security.authc.oidc.realm')
+          ),
+        '--xpack.security.authc.providers.oidc.oidc1.order=0',
+        '--xpack.security.authc.providers.oidc.oidc1.realm="oidc1"',
+        '--xpack.security.authc.providers.oidc.oidc2.order=1',
+        '--xpack.security.authc.providers.oidc.oidc2.realm="oidc2"',
+      ],
+    },
+  };
+}

x-pack/platform/test/security_api_integration/packages/helpers/oidc/oidc_tools.ts

@@ -18,7 +18,7 @@ function fromBase64(base64: string) {
   return base64.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
 }
 
-export function createTokens(userId: string, nonce: string) {
+export function createTokens(userId: string, nonce: string, issuer: string) {
   const idTokenHeader = fromBase64(
     Buffer.from(JSON.stringify({ alg: 'RS256' })).toString('base64')
   );
@@ -29,7 +29,7 @@ export function createTokens(userId: string, nonce: string) {
   const idTokenBody = fromBase64(
     Buffer.from(
       JSON.stringify({
-        iss: 'https://test-op.elastic.co',
+        iss: issuer,
         sub: `user${userId}`,
         aud: '0oa8sqpov3TxMWJOt356',
         nonce,

x-pack/platform/test/security_api_integration/plugins/oidc_provider/server/init_routes.ts

@@ -65,16 +65,22 @@ export function initRoutes(router: IRouter) {
 
   router.post(
     {
-      path: '/api/oidc_provider/token_endpoint',
-      security: { authz: { enabled: false, reason: '' } },
-      validate: { body: (value) => ({ value }) },
+      path: '/api/oidc_provider/token_endpoint/{issuer?}',
+      security: { authc: { enabled: false, reason: '' }, authz: { enabled: false, reason: '' } },
+      validate: {
+        body: (value) => ({ value }),
+        params: schema.object({
+          issuer: schema.string({ defaultValue: 'https://test-op.elastic.co' }),
+        }),
+      },
       // Token endpoint needs authentication (with the client credentials) but we don't attempt to
       // validate this OIDC behavior here
-      options: { authRequired: false, xsrfRequired: false },
+      options: { xsrfRequired: false },
     },
     (context, request, response) => {
       const userId = request.body.code.substring(4);
-      const { accessToken, idToken } = createTokens(userId, nonce);
+
+      const { accessToken, idToken } = createTokens(userId, nonce, request.params.issuer);
       return response.ok({
         body: {
           access_token: accessToken,

x-pack/platform/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts

@@ -83,7 +83,11 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       it('should fail if OpenID Connect response is not complemented with handshake cookie', async () => {
-        const { idToken, accessToken } = createTokens('1', stateAndNonce.nonce);
+        const { idToken, accessToken } = createTokens(
+          '1',
+          stateAndNonce.nonce,
+          'https://test-op.elastic.co'
+        );
         const authenticationResponse = `https://kibana.com/api/security/oidc/implicit#id_token=${idToken}&state=${stateAndNonce.state}&token_type=bearer&access_token=${accessToken}`;
 
         const unauthenticatedResponse = await supertest
@@ -99,7 +103,11 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       it('should fail if state is not matching', async () => {
-        const { idToken, accessToken } = createTokens('1', stateAndNonce.nonce);
+        const { idToken, accessToken } = createTokens(
+          '1',
+          stateAndNonce.nonce,
+          'https://test-op.elastic.co'
+        );
         const authenticationResponse = `https://kibana.com/api/security/oidc/implicit#id_token=${idToken}&state=$someothervalue&token_type=bearer&access_token=${accessToken}`;
 
         const unauthenticatedResponse = await supertest
@@ -116,7 +124,11 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       it('should succeed if both the OpenID Connect response and the cookie are provided', async () => {
-        const { idToken, accessToken } = createTokens('1', stateAndNonce.nonce);
+        const { idToken, accessToken } = createTokens(
+          '1',
+          stateAndNonce.nonce,
+          'https://test-op.elastic.co'
+        );
         const authenticationResponse = `https://kibana.com/api/security/oidc/implicit#id_token=${idToken}&state=${stateAndNonce.state}&token_type=bearer&access_token=${accessToken}`;
 
         const oidcAuthenticationResponse = await supertest

x-pack/platform/test/security_api_integration/tests/oidc/multiple_realms/index.ts

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { FtrProviderContext } from '../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('security APIs - OIDC (Multiple OIDC Realms)', function () {
+    loadTestFile(require.resolve('./oidc_auth'));
+  });
+}