Skip to content

Short circuit failure handling in OIDC flow #130618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Short circuit failure handling in OIDC flow #130618

wants to merge 1 commit into from
+14 −22

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Jul 4, 2025

We should return after the onFailure call during the claims check.

@n1v0lg n1v0lg requested a review from slobodanadamovic July 4, 2025 09:54
@n1v0lg n1v0lg self-assigned this Jul 4, 2025
@n1v0lg n1v0lg added >non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jul 4, 2025
@n1v0lg n1v0lg marked this pull request as ready for review July 4, 2025 10:39
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

slobodanadamovic
slobodanadamovic reviewed Jul 4, 2025
View reviewed changes
...ty/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java
@@ -477,7 +477,20 @@ static void handleUserinfoResponse(
if (httpResponse.getStatusLine().getStatusCode() == 200) {
if (ContentType.parse(contentHeader.getValue()).getMimeType().equals("application/json")) {
final JWTClaimsSet userInfoClaims = JWTClaimsSet.parse(contentAsString);
validateUserInfoResponse(userInfoClaims, verifiedIdTokenClaims.getSubject(), claimsListener);
String expectedSub = verifiedIdTokenClaims.getSubject();
if (userInfoClaims.getSubject().isEmpty()) {
Copy link
Contributor

@slobodanadamovic slobodanadamovic Jul 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's cover these error cases with unit tests in OpenIdConnectAuthenticatorTests. Also, I think we could potentially get a NullPointerException here when userInfoClaims.getSubject() is not returned at all (null).

Below is a simple test I could think of to test not matching subs. Not sure if there is a test version of action listener implementation which asserts that it was called only once:

    public void testHandleUserinfoValidationFailsOnNotMatchingSubject() throws Exception {
        final ProtocolVersion httpVersion = randomFrom(HttpVersion.HTTP_0_9, HttpVersion.HTTP_1_0, HttpVersion.HTTP_1_1);
        final HttpResponse response = new BasicHttpResponse(new BasicStatusLine(httpVersion, RestStatus.OK.getStatus(), "OK"));

        final String sub = randomAlphaOfLengthBetween(4, 36);
        final String inf = randomAlphaOfLength(12);
        final JWTClaimsSet infoClaims = new JWTClaimsSet.Builder().subject("it-is-a-different-subject").claim("inf", inf).build();
        final StringEntity entity = new StringEntity(infoClaims.toString(), ContentType.APPLICATION_JSON);
        if (randomBoolean()) {
            entity.setContentEncoding(
                randomFrom(StandardCharsets.UTF_8.name(), StandardCharsets.UTF_16.name(), StandardCharsets.US_ASCII.name())
            );
        }
        response.setEntity(entity);

        final String idx = randomAlphaOfLength(8);
        final JWTClaimsSet idClaims = new JWTClaimsSet.Builder().subject(sub).claim("idx", idx).build();
        final AtomicBoolean listenerCalled = new AtomicBoolean(false);
        final PlainActionFuture<JWTClaimsSet> future = new PlainActionFuture<>() {

            @Override
            public void onResponse(JWTClaimsSet result) {
                assertTrue("listener called more than once", listenerCalled.compareAndSet(false, true));
                super.onResponse(result);
            }

            @Override
            public void onFailure(Exception e) {
                assertTrue("listener called more than once", listenerCalled.compareAndSet(false, true));
                super.onFailure(e);
            }
        };

        this.authenticator = buildAuthenticator();
        OpenIdConnectAuthenticator.handleUserinfoResponse(response, idClaims, future);
        var e = expectThrows(ElasticsearchSecurityException.class, () -> future.actionGet());

        assertThat(
            e.getMessage(),
            equalTo(
                "Userinfo Response is not valid as it is for subject [it-is-a-different-subject] while the ID Token was for subject ["
                    + sub
                    + "]"
            )
        );

    }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (userInfoClaims.getSubject().isEmpty()) {
if (userInfoClaims.getSubject() == null || userInfoClaims.getSubject().isEmpty()) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks catching, I rushed on this 🤦

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related to your changes, but I think we should fix it as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@n1v0lg n1v0lg

Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v8.18.4 v8.19.1 v9.0.4 v9.1.1 v9.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@n1v0lg @elasticsearchmachine @slobodanadamovic