Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removes deprecated platform security v1 routes #203915

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

jeramysoucy
Copy link
Contributor

Summary

Removes the v1 routes deprecated in #199656

Part of Kibana 9.0.0 readiness https://github.com/elastic/kibana-team/issues/1190

@jeramysoucy jeramysoucy added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting v9.0.0 labels Dec 11, 2024
@jeramysoucy jeramysoucy self-assigned this Dec 11, 2024
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

cc @jeramysoucy

@jeramysoucy jeramysoucy marked this pull request as ready for review December 17, 2024 16:59
@jeramysoucy jeramysoucy requested a review from a team as a code owner December 17, 2024 16:59
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Just a few suggestions.

@@ -23,79 +22,47 @@ export function defineSAMLRoutes({
buildFlavor,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can remove basePath, logger, buildFlavor, docLinks

options: {
access: 'public',
excludeFromOAS: true,
authRequired: false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: while you're here, would you mind replacing deprecated authRequeired with security.authc.enabled?

@@ -27,58 +27,32 @@ export function defineOIDCRoutes({
basePath,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can remove logger, docLinks

path: '/api/security/oidc/implicit',
validate: false,
options: {
authRequired: false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: while you're here, would you mind replacing deprecated authRequired with security.authc.enabled in all routes in this file?

Comment on lines +97 to +99
iss: schema.maybe(schema.uri({ scheme: ['https'] })),
login_hint: schema.maybe(schema.string()),
target_link_uri: schema.maybe(schema.uri()),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: we can remove these as it's only used for OP initiated login attempts and we deprecated usage of /api/security/oidc/callback for this since 7.6.0 (#50695), users should rely on /api/security/oidc/initiate_login instead

Suggested change
iss: schema.maybe(schema.uri({ scheme: ['https'] })),
login_hint: schema.maybe(schema.string()),
target_link_uri: schema.maybe(schema.uri()),

Comment on lines +135 to +143
} else if (request.query.iss) {
// An HTTP GET request with a query parameter named `iss` as part of a 3rd party initiated authentication.
// See more details at https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
loginAttempt = {
type: OIDCLogin.LoginInitiatedBy3rdParty,
iss: request.query.iss,
loginHint: request.query.login_hint,
};
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: same as above, this endpoint should no longer support OP initiated logins (that's why we logged deprecation notice for both deprecated and non-deprecated routes).

Suggested change
} else if (request.query.iss) {
// An HTTP GET request with a query parameter named `iss` as part of a 3rd party initiated authentication.
// See more details at https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
loginAttempt = {
type: OIDCLogin.LoginInitiatedBy3rdParty,
iss: request.query.iss,
loginHint: request.query.login_hint,
};
}
}

@@ -36,124 +35,67 @@ export function defineCommonRoutes({
buildFlavor,
docLinks,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docLinks,

options: {
access: 'public',
excludeFromOAS: true,
authRequired: false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: while you're here, would you mind replacing deprecated authRequired with security.authc.enabled in all routes in this file?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants