-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] Support alternate auth providers for login #26979
Conversation
Login is no longer coupled directly to our basic auth provider, so alternative auth providers can now be used with our standard login flow. The LoginAttempt request service is the mechanism for auth providers to integrate with the login flow.
Transient CI failure due to #26228 |
retest |
This comment has been minimized.
This comment has been minimized.
/** | ||
* Utility class that knows how to decorate request with proper Basic authentication headers. | ||
*/ | ||
export class BasicCredentials { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing in BasicCredentials
changed, I just had to move it to the top of the file so I could use it within _authenticateViaLoginAttempt
without the linter complaining.
@@ -123,7 +193,7 @@ export class BasicAuthenticationProvider { | |||
this._options.log(['debug', 'security', 'basic'], 'Request has been authenticated via header.'); | |||
|
|||
return { | |||
authenticationResult: AuthenticationResult.succeeded(user, { authorization }) | |||
authenticationResult: AuthenticationResult.succeeded(user) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No more cookie for basic auth headers. It's worth mentioning that this change isn't essential for the addition of LoginAttempt nor the token provider, but it seems like the right behavior, and I can't think of a reason why the old behavior should be supported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and I can't think of a reason why the old behavior should be supported.
We didn't have this behavior before "auth providers", I'm really glad you removed that nasty thing! I can sleep well again now 🙂
Pinging @elastic/kibana-security |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js
Outdated
Show resolved
Hide resolved
x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js
Show resolved
Hide resolved
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - pending green CI
This comment has been minimized.
This comment has been minimized.
retest |
💚 Build Succeeded |
Login is no longer coupled directly to our basic auth provider, so alternative auth providers can now be used with our standard login flow. The LoginAttempt request service is the mechanism for auth providers to integrate with the login flow.
Login is no longer coupled directly to our basic auth provider, so alternative auth providers can now be used with our standard login flow. The LoginAttempt request service is the mechanism for auth providers to integrate with the login flow.
Login is no longer coupled directly to our basic auth provider, so
alternative auth providers can now be used with our standard login flow.
The LoginAttempt request service is the mechanism for auth providers to
integrate with the login flow.
The only noticeable change here from a product perspective is that
requests authenticated via basic headers should no longer respond with
a session cookie. Beyond that, basic authentication should still be possible
for curl commands and login should otherwise appear to work as it always
has.