Add in-response-to field to saml successful response (#137599)

Return in_response_to field in successful SAML authentication attempts,
as this information is useful to the client

closes of #128179

Author: piotrsulkowski-elastic

docs/changelog/137599.yaml

@@ -0,0 +1,6 @@
+pr: 137599
+summary: In-response-to in saml successful response
+area: Authentication
+type: enhancement
+issues:
+ - 128179

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java

@@ -8,6 +8,7 @@
 
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 
@@ -25,14 +26,27 @@ public final class SamlAuthenticateResponse extends ActionResponse {
     private final String realm;
     private final TimeValue expiresIn;
     private final Authentication authentication;
+    private final String inResponseTo;
 
+    // Constructor used in Serverless
     public SamlAuthenticateResponse(Authentication authentication, String tokenString, String refreshToken, TimeValue expiresIn) {
+        this(authentication, tokenString, refreshToken, expiresIn, null);
+    }
+
+    public SamlAuthenticateResponse(
+        Authentication authentication,
+        String tokenString,
+        String refreshToken,
+        TimeValue expiresIn,
+        @Nullable String inResponseTo
+    ) {
         this.principal = authentication.getEffectiveSubject().getUser().principal();
         this.realm = authentication.getEffectiveSubject().getRealm().getName();
         this.tokenString = tokenString;
         this.refreshToken = refreshToken;
         this.expiresIn = expiresIn;
         this.authentication = authentication;
+        this.inResponseTo = inResponseTo;
     }
 
     public String getPrincipal() {
@@ -59,6 +73,13 @@ public Authentication getAuthentication() {
         return authentication;
     }
 
+    public String getInResponseTo() {
+        return inResponseTo;
+    }
+
+    // note that this method is not used in any current code path,
+    // but is left here for compatibility with old versions, and as such
+    // is not up to date, i.e. it does not write 'inResponseTo'
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(principal);
@@ -67,5 +88,6 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeString(refreshToken);
         out.writeTimeValue(expiresIn);
         authentication.writeTo(out);
+        // intentionally missing inResponseTo
     }
 }

x-pack/plugin/security/qa/saml-rest-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlInResponseToIT.java

@@ -35,6 +35,8 @@ public void testInResponseTo_matchingValues() throws Exception {
         String requestId = generateRandomRequestId();
         var response = authUser(username, requestId, requestId);
         assertThat(response, hasKey("access_token"));
+        assertThat(response, hasKey("in_response_to"));
+        assertThat(response.get("in_response_to"), equalTo(requestId));
     }
 
     public void testInResponseTo_requestAndTokenHaveDifferentValues() throws Exception {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionAction.java

@@ -120,7 +120,7 @@ private static String buildLogoutResponseUrl(SamlRealm realm, SamlLogoutRequestH
     }
 
     private void findAndInvalidateTokens(SamlRealm realm, SamlLogoutRequestHandler.Result result, ActionListener<Integer> listener) {
-        final Map<String, Object> tokenMetadata = realm.createTokenMetadata(result.getNameId(), result.getSession());
+        final Map<String, Object> tokenMetadata = realm.createTokenMetadata(result.getNameId(), result.getSession(), null);
         if (Strings.isNullOrEmpty((String) tokenMetadata.get(SamlRealm.TOKEN_METADATA_NAMEID_VALUE))) {
             // If we don't have a valid name-id to match against, don't do anything
             LOGGER.debug("Logout request [{}] has no NameID value, so cannot invalidate any sessions", result);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/DefaultSamlAuthenticateResponseHandler.java

@@ -36,10 +36,17 @@ public void handleTokenResponse(
     ) {
         @SuppressWarnings("unchecked")
         final Map<String, Object> tokenMeta = (Map<String, Object>) authenticationResult.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
+        final String inResponseTo = (String) tokenMeta.get(SamlRealm.TOKEN_METADATA_IN_RESPONSE_TO);
         tokenService.createOAuth2Tokens(authentication, originatingAuthentication, tokenMeta, true, ActionListener.wrap(tokenResult -> {
             final TimeValue expiresIn = tokenService.getExpirationDelay();
             listener.onResponse(
-                new SamlAuthenticateResponse(authentication, tokenResult.getAccessToken(), tokenResult.getRefreshToken(), expiresIn)
+                new SamlAuthenticateResponse(
+                    authentication,
+                    tokenResult.getAccessToken(),
+                    tokenResult.getRefreshToken(),
+                    expiresIn,
+                    inResponseTo
+                )
             );
         }, listener::onFailure));
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlAttributes.java

@@ -27,12 +27,20 @@ public class SamlAttributes implements Releasable {
 
     private final SamlNameId name;
     private final String session;
+    private final String inResponseTo;
     private final List<SamlAttribute> attributes;
     private final List<SamlPrivateAttribute> privateAttributes;
 
-    SamlAttributes(SamlNameId name, String session, List<SamlAttribute> attributes, List<SamlPrivateAttribute> privateAttributes) {
+    SamlAttributes(
+        SamlNameId name,
+        String session,
+        String inResponseTo,
+        List<SamlAttribute> attributes,
+        List<SamlPrivateAttribute> privateAttributes
+    ) {
         this.name = name;
         this.session = session;
+        this.inResponseTo = inResponseTo;
         this.attributes = attributes;
         this.privateAttributes = privateAttributes;
     }
@@ -89,9 +97,24 @@ String session() {
         return session;
     }
 
+    String inResponseTo() {
+        return inResponseTo;
+    }
+
     @Override
     public String toString() {
-        return getClass().getSimpleName() + "(" + name + ")[" + session + "]{" + attributes + "}{" + privateAttributes + "}";
+        return getClass().getSimpleName()
+            + "("
+            + name
+            + ")["
+            + session
+            + "]["
+            + inResponseTo
+            + "]{"
+            + attributes
+            + "}{"
+            + privateAttributes
+            + "}";
     }
 
     @Override

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticator.java

@@ -117,7 +117,7 @@ private SamlAttributes authenticateResponse(Element element, Collection<String>
         final Assertion assertion = details.v1();
         final SamlNameId nameId = SamlNameId.forSubject(assertion.getSubject());
         final String session = getSessionIndex(assertion);
-        final SamlAttributes samlAttributes = buildSamlAttributes(nameId, session, details.v2());
+        final SamlAttributes samlAttributes = buildSamlAttributes(nameId, session, response.getInResponseTo(), details.v2());
         if (logger.isTraceEnabled()) {
             StringBuilder sb = new StringBuilder();
             sb.append("The SAML Assertion contained the following attributes: \n");
@@ -141,7 +141,7 @@ private SamlAttributes authenticateResponse(Element element, Collection<String>
         return samlAttributes;
     }
 
-    private SamlAttributes buildSamlAttributes(SamlNameId nameId, String session, List<Attribute> attributes) {
+    private SamlAttributes buildSamlAttributes(SamlNameId nameId, String session, String inResponseTo, List<Attribute> attributes) {
         List<SamlAttributes.SamlAttribute> samlAttributes = new ArrayList<>();
         List<SamlAttributes.SamlPrivateAttribute> samlPrivateAttributes = new ArrayList<>();
         for (Attribute attribute : attributes) {
@@ -151,7 +151,7 @@ private SamlAttributes buildSamlAttributes(SamlNameId nameId, String session, Li
                 samlAttributes.add(new SamlAttributes.SamlAttribute(attribute));
             }
         }
-        return new SamlAttributes(nameId, session, samlAttributes, samlPrivateAttributes);
+        return new SamlAttributes(nameId, session, inResponseTo, samlAttributes, samlPrivateAttributes);
     }
 
     private static String getSessionIndex(Assertion assertion) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java

@@ -30,6 +30,7 @@
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.core.CheckedRunnable;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.Releasable;
 import org.elasticsearch.core.Releasables;
 import org.elasticsearch.core.SuppressForbidden;
@@ -159,6 +160,7 @@ public final class SamlRealm extends Realm implements Releasable {
     public static final String TOKEN_METADATA_NAMEID_SP_QUALIFIER = "saml_nameid_sp_qual";
     public static final String TOKEN_METADATA_NAMEID_SP_PROVIDED_ID = "saml_nameid_sp_id";
     public static final String TOKEN_METADATA_SESSION = "saml_session";
+    public static final String TOKEN_METADATA_IN_RESPONSE_TO = "saml_in_response_to";
     public static final String TOKEN_METADATA_REALM = "saml_realm";
 
     public static final String PRIVATE_ATTRIBUTES_METADATA = "saml_private_attributes";
@@ -588,7 +590,7 @@ private void buildUser(SamlAttributes attributes, ActionListener<AuthenticationR
             return;
         }
 
-        final Map<String, Object> tokenMetadata = createTokenMetadata(attributes.name(), attributes.session());
+        final Map<String, Object> tokenMetadata = createTokenMetadata(attributes.name(), attributes.session(), attributes.inResponseTo());
         final Map<String, List<SecureString>> privateAttributesMetadata = attributes.privateAttributes()
             .stream()
             .collect(Collectors.toMap(SamlPrivateAttribute::name, SamlPrivateAttribute::values));
@@ -639,7 +641,7 @@ private void buildUser(SamlAttributes attributes, ActionListener<AuthenticationR
         }));
     }
 
-    public Map<String, Object> createTokenMetadata(SamlNameId nameId, String session) {
+    public Map<String, Object> createTokenMetadata(@Nullable SamlNameId nameId, String session, @Nullable String inResponseTo) {
         final Map<String, Object> tokenMeta = new HashMap<>();
         if (nameId != null) {
             tokenMeta.put(TOKEN_METADATA_NAMEID_VALUE, nameId.value);
@@ -655,6 +657,9 @@ public Map<String, Object> createTokenMetadata(SamlNameId nameId, String session
             tokenMeta.put(TOKEN_METADATA_NAMEID_SP_PROVIDED_ID, null);
         }
         tokenMeta.put(TOKEN_METADATA_SESSION, session);
+        if (inResponseTo != null) {
+            tokenMeta.put(TOKEN_METADATA_IN_RESPONSE_TO, inResponseTo);
+        }
         tokenMeta.put(TOKEN_METADATA_REALM, name());
         return tokenMeta;
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java

@@ -102,6 +102,9 @@ public RestResponse buildResponse(SamlAuthenticateResponse response, XContentBui
                         if (response.getAuthentication() != null) {
                             builder.field("authentication", response.getAuthentication());
                         }
+                        if (response.getInResponseTo() != null) {
+                            builder.field("in_response_to", response.getInResponseTo());
+                        }
                         builder.endObject();
                         return new RestResponse(RestStatus.OK, builder);
                     }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java

@@ -463,7 +463,7 @@ private TokenService.CreateTokenResult storeToken(byte[] userTokenBytes, byte[]
             .user(new User("bob"))
             .realmRef(new RealmRef("native", NativeRealmSettings.TYPE, "node01"))
             .build(false);
-        final Map<String, Object> metadata = samlRealm.createTokenMetadata(nameId, session);
+        final Map<String, Object> metadata = samlRealm.createTokenMetadata(nameId, session, null);
         final PlainActionFuture<TokenService.CreateTokenResult> future = new PlainActionFuture<>();
         tokenService.createOAuth2Tokens(userTokenBytes, refreshTokenBytes, authentication, authentication, metadata, future);
         return future.actionGet();