Skip to content

Token API supports the client_credentials grant#33106

Merged
jaymode merged 6 commits intoelastic:masterfrom
jaymode:token_client_creds
Aug 27, 2018
Merged

Token API supports the client_credentials grant#33106
jaymode merged 6 commits intoelastic:masterfrom
jaymode:token_client_creds

Conversation

@jaymode
Copy link
Copy Markdown
Member

@jaymode jaymode commented Aug 23, 2018

This change adds support for the client credentials grant type to the
token api. The client credentials grant allows for a client to
authenticate with the authorization server and obtain a token to access
as itself. Per RFC 6749, a refresh token should not be included with
the access token and as such a refresh token is not issued when the
client credentials grant is used.

The addition of the client credentials grant will allow users
authenticated with mechanisms such as kerberos or PKI to obtain a token
that can be used for subsequent access.

@jaymode
Token API supports the client_credentials grant
6b0ce08 
This change adds support for the client credentials grant type to the
token api. The client credentials grant allows for a client to
authenticate with the authorization server and obtain a token to access
as itself. Per RFC 6749, a refresh token should not be included with
the access token and as such a refresh token is not issued when the
client credentials grant is used.

The addition of the client credentials grant will allow users
authenticated with mechanisms such as kerberos or PKI to obtain a token
that can be used for subsequent access.
@jaymode jaymode added >enhancement v7.0.0 :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v6.5.0 labels Aug 23, 2018
@jaymode jaymode requested review from bizybot and tvernum August 23, 2018 19:55
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Aug 23, 2018

Pinging @elastic/es-security

tvernum
tvernum approved these changes Aug 24, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with 1 docs suggestion.

x-pack/docs/en/rest-api/security/get-tokens.asciidoc
}
--------------------------------------------------
// TESTRESPONSE[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/]

Copy link
Copy Markdown
Contributor

@tvernum tvernum Aug 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think flowing from the client_credentials example straight into a discussion on refresh_token is confusing because client_credentials doesn't provide a refresh token, and it will undoubtedly trip up some readers.

Maybe the refresh token section can indicate that only "password" grants provide refresh tokens?

bizybot
bizybot approved these changes Aug 24, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@bizybot bizybot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you.

@elasticmachine elasticmachine mentioned this pull request Aug 27, 2018
Closed
@jaymode jaymode merged commit 5d9c270 into elastic:master Aug 27, 2018
@jaymode jaymode deleted the token_client_creds branch August 27, 2018 16:56
jasontedor added a commit that referenced this pull request Aug 27, 2018
@jasontedor
Merge branch 'master' into ccr
0e5d42c 
* master:
  Adjust BWC version on mapping version
  Token API supports the client_credentials grant (#33106)
  Build: forked compiler max memory matches jvmArgs (#33138)
  Introduce mapping version to index metadata (#33147)
  SQL: Enable aggregations to create a separate bucket for missing values (#32832)
  Fix grammar in contributing docs
  SECURITY: Fix Compile Error in ReservedRealmTests (#33166)
  APM server monitoring (#32515)
  Support only string `format` in date, root object & date range (#28117)
  [Rollup] Move toBuilders() methods out of rollup config objects (#32585)
  Fix forbiddenapis on java 11  (#33116)
  Apply publishing to genreate pom (#33094)
  Have circuit breaker succeed on unknown mem usage
  Do not lose default mapper on metadata updates (#33153)
  Fix a mappings update test (#33146)
  Reload Secure Settings REST specs & docs (#32990)
  Refactor CachingUsernamePassword realm (#32646)
jaymode added a commit that referenced this pull request Aug 27, 2018
@jaymode
Token API supports the client_credentials grant (#33106)
3819add 
This change adds support for the client credentials grant type to the
token api. The client credentials grant allows for a client to
authenticate with the authorization server and obtain a token to access
as itself. Per RFC 6749, a refresh token should not be included with
the access token and as such a refresh token is not issued when the
client credentials grant is used.

The addition of the client credentials grant will allow users
authenticated with mechanisms such as kerberos or PKI to obtain a token
that can be used for subsequent access.
jaymode added a commit that referenced this pull request Aug 28, 2018
@jaymode
Test: fix token bwc tests due to bad backport
d9044c7 
This change fixes the token bwc tests that started failing after a bad
backport of #33106. During merge conflict resolution, an additional if
statement was added that used the incorrect passphrase in the keystore,
which caused token validation to fail. This if statement has been
removed in this commit.

Closes #33197
dnhatn added a commit that referenced this pull request Aug 28, 2018
@dnhatn
Merge branch '6.x' into ccr-6.x
6912e43 
* 6.x:
  [Rollup] Better error message when trying to set non-rollup index (#32965)
  Remove unused User class from protocol (#33137)
  [DOCS] Adds link to 6.3.0 release highlights
  Test: fix token bwc tests due to bad backport
  Ensure to generate identical NoOp for the same failure (#33141)
  [Docs] Add link to es-kotlin-wrapper-client (#32618)
  [Docs] Remove repeating words (#33087)
  Minor spelling and grammar fix (#32931)
  Run Third party audit with forbidden APIs CLI  (part3/3) (#33052)
  Fix plugin build test on Windows (#33078)
  Watcher: Simplify finding next date in cron schedule (#33015)
  Remove old unused test script files (#32970)
  Build analysis-icu client JAR (#33184)
  Switch remaining tests to new style Requests (#33109)
  Use internal connection manager when fetching remote node info
  Switch remaining x-pack tests to new style Requests (#33108)
  Switch remaining ml tests to new style Requests (#33107)
  Token API supports the client_credentials grant (#33106)
jaymode added a commit to jaymode/elasticsearch that referenced this pull request Aug 29, 2018
@jaymode
Update version after client credentials backport
6daf811 
This commit changes the serialization version from V_7_0_0_alpha1 to
V_6_5_0 for the create token request and response with a client
credentials grant type. The client credentials work has now been
backported to 6.x.

Relates elastic#33106
@Mpdreamz Mpdreamz mentioned this pull request Dec 13, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

+1 more reviewer

@bizybot bizybot bizybot approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v6.5.0 v7.0.0-beta1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jaymode @elasticmachine @bizybot @tvernum @colings86