Allow IdP initiated SAML login with session containing expired token. by azasypkin · Pull Request #59686 · elastic/kibana

azasypkin · 2020-03-09T17:30:48Z

As in proposed in #59629 in this PR we're trying to leverage existing session during IdP initiated SAML login even if it contains expired access token.

Notable changes:

We try to use SAML Response even if existing access token is expired
We treat 404 errors that Elasticsearch returns when it tries to invalidate non-existent tokens in exactly the same way as we'd treat 404 response (see Fix responses for the token APIs elasticsearch#54532 (comment) for details)

How to test:

Log in with SAML (via IdP or User initiated flow, it doesn't matter)
Delete all access tokens from Elasticsearch:

POST localhost:9200/.security-tokens/_delete_by_query?pretty&refresh=true
Authorization: Basic xxxx
Accept: application/json
Content-Type: application/json

{
  "query": {
    "match": {
      "doc_type": "token"
    }
  }
}

Try to log in to Kibana via IdP initiated flow using the same or another user in the same browsing context (so that browser sends SAML Response with the existing cookie with deleted tokens)

Note: You may want to close browser tab (not window) after step 1 so that Kibana doesn't automatically log you out.

Blocked by: elastic/elasticsearch#53323
Fixes: #59629

"Release Note: previously user couldn't log in with SAML Identity Provider Initiated flow (e.g. from Okta Dashboard) if they already had an existing, but expired session. Now it should be possible."

elasticmachine · 2020-03-09T17:30:51Z

Pinging @elastic/kibana-security (Team:Security)

azasypkin · 2020-03-25T13:19:33Z

x-pack/plugins/security/server/authentication/providers/saml.ts

note: we can keep this if we decide to fix the issue without ES part in elastic/elasticsearch#53323.

azasypkin · 2020-04-21T11:59:50Z

@legrego @jportner heya, tagging you both for review, just whoever gets first to this PR 🙂 Not urgent, can wait. Thanks!

legrego

LGTM! Tested locally, works great.

legrego · 2020-04-23T11:40:43Z

x-pack/plugins/security/server/authentication/tokens.ts

        this.logger.debug(`Failed to invalidate refresh token: ${err.message}`);
-        // We don't re-throw the error here to have a chance to invalidate access token if it's provided.
-        invalidationError = err;
+


At some point (not now), it might make sense to consolidate the error handling logic for the access and refresh tokens, since they appear nearly identical. I fear these will accidentally diverge at some point, and we'll have another subtle auth bug on our hands

Totally agree, every time I change this code I stare at it and want to unify, but always defer for one reason or another 🙈

azasypkin · 2020-04-23T11:50:22Z

@elasticmachine merge upstream

azasypkin · 2020-04-23T15:11:47Z

@elasticmachine merge upstream

kibanamachine · 2020-04-23T17:01:55Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request
Commit: 3f14caa

History

💚 Build #42117 succeeded a32f60f
💚 Build #36242 succeeded af4e95686c1cc8a05db1858d27d79ad5594ca0cc
💔 Build #36167 failed ca014a774acf015219308860a1c9ccc0a0f556ac
💚 Build #31845 succeeded b6b7545eca0349cd62bbd6c4e199ea45c6f3bd1a

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

…elastic#59686)

azasypkin · 2020-04-24T07:58:13Z

7.x/7.8.0: a15a1e0
7.7/7.7.1: 7827fa5

kibanamachine · 2020-04-27T07:58:44Z