OpenID Connect realm support

[jkakavas]

This issue tracks the effort to offer an OpenID Connect authentication realm in Elasticsearch.

Relevant specifications:

• OpenID Connect core
• OpenID Connect dynamic registration
• Implementer's drafts

Elasticsearch will implement and OpenID Connect Relying Party (RP). The initial idea is that this will be handled in a similar way to the SAML Authentication realm where

• Elasticsearch will implement all the necessary OpenID Connect related functionality
• Elasticsearch will expose the necessary REST API endpoints
• Users will be able to authenticate with OIDC via a facilitator which can be Kibana (in which case the Elastic stack is the RP) or a custom web application
• At the successful completion of an OIDC flow, Elasticsearch will exchange the OIDC ID token it receives from an OIDC Provider with an Elasticsearch token that can be used to authenticate future requests to Elasticsearch.

Tasks :

• Support for oAuth2 implicit flow ( as a client )
• Support for oAuth2 authorization code flow ( as a client )
• Support client (ES) authentication.
• Support OP discovery and static OP configuration
• JWS and JWE support
• OIDC Rest endpoints for facilitator communication
• ID token parsing and validation
• Support for requests to the userinfo endpoint
• Map claims to attributes ( and thus roles )
• Submit request for the OpenID Foundation conformance certification
• Support dynamic registration with an OP

[elasticmachine]

Pinging @elastic/es-security