elastic · azasypkin · Jan 3, 2020 · Jan 2, 2020
diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts
@@ -42,7 +42,7 @@ describe('OIDCAuthenticationProvider', () => {
 
   describe('`login` method', () => {
     it('redirects third party initiated login attempts to the OpenId Connect Provider.', async () => {
-      const request = httpServerMock.createKibanaRequest({ path: '/api/security/oidc' });
+      const request = httpServerMock.createKibanaRequest({ path: '/api/security/oidc/callback' });
 
       mockOptions.client.callAsInternalUser.withArgs('shield.oidcPrepare').resolves({
         state: 'statevalue',
@@ -205,21 +205,22 @@ describe('OIDCAuthenticationProvider', () => {
     describe('authorization code flow', () => {
       defineAuthenticationFlowTests(() => ({
         request: httpServerMock.createKibanaRequest({
-          path: '/api/security/oidc?code=somecodehere&state=somestatehere',
+          path: '/api/security/oidc/callback?code=somecodehere&state=somestatehere',
         }),
         attempt: {
           flow: OIDCAuthenticationFlow.AuthorizationCode,
-          authenticationResponseURI: '/api/security/oidc?code=somecodehere&state=somestatehere',
+          authenticationResponseURI:
+            '/api/security/oidc/callback?code=somecodehere&state=somestatehere',
         },
-        expectedRedirectURI: '/api/security/oidc?code=somecodehere&state=somestatehere',
+        expectedRedirectURI: '/api/security/oidc/callback?code=somecodehere&state=somestatehere',
       }));
     });
 
     describe('implicit flow', () => {
       defineAuthenticationFlowTests(() => ({
         request: httpServerMock.createKibanaRequest({
           path:
-            '/api/security/oidc?authenticationResponseURI=http://kibana/api/security/oidc/implicit#id_token=sometoken',
+            '/api/security/oidc/callback?authenticationResponseURI=http://kibana/api/security/oidc/implicit#id_token=sometoken',
         }),
         attempt: {
           flow: OIDCAuthenticationFlow.Implicit,

diff --git a/x-pack/plugins/security/server/routes/authentication/oidc.ts b/x-pack/plugins/security/server/routes/authentication/oidc.ts
@@ -23,7 +23,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route
     /**
      * The route should be configured as a redirect URI in OP when OpenID Connect implicit flow
      * is used, so that we can extract authentication response from URL fragment and send it to
-     * the `/api/security/oidc` route.
+     * the `/api/security/oidc/callback` route.
      */
     router.get(
       {
@@ -57,7 +57,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route
 
   /**
    * The route that accompanies `/api/security/oidc/implicit` and renders a JavaScript snippet
-   * that extracts fragment part from the URL and send it to the `/api/security/oidc` route.
+   * that extracts fragment part from the URL and send it to the `/api/security/oidc/callback` route.
    * We need this separate endpoint because of default CSP policy that forbids inline scripts.
    */
   router.get(
@@ -72,7 +72,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route
         createCustomResourceResponse(
           `
           window.location.replace(
-            '${serverBasePath}/api/security/oidc?authenticationResponseURI=' + encodeURIComponent(window.location.href)
+            '${serverBasePath}/api/security/oidc/callback?authenticationResponseURI=' + encodeURIComponent(window.location.href)
           );
         `,
           'text/javascript',
@@ -83,7 +83,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route
   );
 
   // Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used.
-  for (const path of ['/api/security/oidc', '/api/security/v1/oidc']) {
+  for (const path of ['/api/security/oidc/callback', '/api/security/v1/oidc']) {
     router.get(
       {
         path,
@@ -124,7 +124,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route
         } else if (request.query.code || request.query.error) {
           if (path === '/api/security/v1/oidc') {
             logger.warn(
-              `The "${serverBasePath}${path}" URL is deprecated and will stop working in the next major version, please use "${serverBasePath}/api/security/oidc" URL instead.`,
+              `The "${serverBasePath}${path}" URL is deprecated and will stop working in the next major version, please use "${serverBasePath}/api/security/oidc/callback" URL instead.`,
               { tags: ['deprecation'] }
             );
           }

diff --git a/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js b/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js
@@ -125,22 +125,22 @@ export default function({ getService }) {
 
       it('should fail if OpenID Connect response is not complemented with handshake cookie', async () => {
         await supertest
-          .get(`/api/security/oidc?code=thisisthecode&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=thisisthecode&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .expect(401);
       });
 
       it('should fail if state is not matching', async () => {
         await supertest
-          .get(`/api/security/oidc?code=thisisthecode&state=someothervalue`)
+          .get(`/api/security/oidc/callback?code=thisisthecode&state=someothervalue`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', handshakeCookie.cookieString())
           .expect(401);
       });
 
       it('should succeed if both the OpenID Connect response and the cookie are provided', async () => {
         const oidcAuthenticationResponse = await supertest
-          .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', handshakeCookie.cookieString())
           .expect(302);
@@ -195,7 +195,7 @@ export default function({ getService }) {
           .expect(200);
 
         const oidcAuthenticationResponse = await supertest
-          .get(`/api/security/oidc?code=code2&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=code2&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', handshakeCookie.cookieString())
           .expect(302);
@@ -245,7 +245,7 @@ export default function({ getService }) {
           .expect(200);
 
         const oidcAuthenticationResponse = await supertest
-          .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', sessionCookie.cookieString())
           .expect(302);
@@ -320,7 +320,7 @@ export default function({ getService }) {
           .expect(200);
 
         const oidcAuthenticationResponse = await supertest
-          .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', handshakeCookie.cookieString())
           .expect(302);
@@ -409,7 +409,7 @@ export default function({ getService }) {
           .expect(200);
 
         const oidcAuthenticationResponse = await supertest
-          .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', handshakeCookie.cookieString())
           .expect(302);
@@ -499,7 +499,7 @@ export default function({ getService }) {
           .expect(200);
 
         const oidcAuthenticationResponse = await supertest
-          .get(`/api/security/oidc?code=code1&state=${stateAndNonce.state}`)
+          .get(`/api/security/oidc/callback?code=code1&state=${stateAndNonce.state}`)
           .set('kbn-xsrf', 'xxx')
           .set('Cookie', handshakeCookie.cookieString())
           .expect(302);

diff --git a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts
@@ -66,7 +66,7 @@ export default function({ getService }: FtrProviderContext) {
 
         // Check that script that forwards URL fragment worked correctly.
         expect(dom.window.location.href).to.be(
-          '/api/security/oidc?authenticationResponseURI=https%3A%2F%2Fkibana.com%2Fapi%2Fsecurity%2Foidc%2Fimplicit%23token%3Dsome_token%26access_token%3Dsome_access_token'
+          '/api/security/oidc/callback?authenticationResponseURI=https%3A%2F%2Fkibana.com%2Fapi%2Fsecurity%2Foidc%2Fimplicit%23token%3Dsome_token%26access_token%3Dsome_access_token'
         );
       });
 
@@ -76,7 +76,7 @@ export default function({ getService }: FtrProviderContext) {
 
         await supertest
           .get(
-            `/api/security/oidc?authenticationResponseURI=${encodeURIComponent(
+            `/api/security/oidc/callback?authenticationResponseURI=${encodeURIComponent(
               authenticationResponse
             )}`
           )
@@ -90,7 +90,7 @@ export default function({ getService }: FtrProviderContext) {
 
         await supertest
           .get(
-            `/api/security/oidc?authenticationResponseURI=${encodeURIComponent(
+            `/api/security/oidc/callback?authenticationResponseURI=${encodeURIComponent(
               authenticationResponse
             )}`
           )
@@ -106,7 +106,7 @@ export default function({ getService }: FtrProviderContext) {
 
         const oidcAuthenticationResponse = await supertest
           .get(
-            `/api/security/oidc?authenticationResponseURI=${encodeURIComponent(
+            `/api/security/oidc/callback?authenticationResponseURI=${encodeURIComponent(
               authenticationResponse
             )}`
           )

diff --git a/x-pack/test/oidc_api_integration/config.ts b/x-pack/test/oidc_api_integration/config.ts
@@ -32,7 +32,7 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) {
         `xpack.security.authc.realms.oidc.oidc1.rp.client_id=0oa8sqpov3TxMWJOt356`,
         `xpack.security.authc.realms.oidc.oidc1.rp.client_secret=0oa8sqpov3TxMWJOt356`,
         `xpack.security.authc.realms.oidc.oidc1.rp.response_type=code`,
-        `xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri=http://localhost:${kibanaPort}/api/security/oidc`,
+        `xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri=http://localhost:${kibanaPort}/api/security/oidc/callback`,
         `xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint=https://test-op.elastic.co/oauth2/v1/authorize`,
         `xpack.security.authc.realms.oidc.oidc1.op.endsession_endpoint=https://test-op.elastic.co/oauth2/v1/endsession`,
         `xpack.security.authc.realms.oidc.oidc1.op.token_endpoint=http://localhost:${kibanaPort}/api/oidc_provider/token_endpoint`,