Nit fixes and formatting following #62490 comments

client/rest-high-level/src/main/java/org/elasticsearch/client/security/CreateTokenResponse.java

@@ -42,17 +42,17 @@ public final class CreateTokenResponse {
     private final String scope;
     private final String refreshToken;
     private final String kerberosAuthenticationResponseToken;
-    private final AuthenticateResponse authenticationResponse;
+    private final AuthenticateResponse authentication;
 
     public CreateTokenResponse(String accessToken, String type, TimeValue expiresIn, String scope, String refreshToken,
-                               String kerberosAuthenticationResponseToken, AuthenticateResponse authenticationResponse) {
+                               String kerberosAuthenticationResponseToken, AuthenticateResponse authentication) {
         this.accessToken = accessToken;
         this.type = type;
         this.expiresIn = expiresIn;
         this.scope = scope;
         this.refreshToken = refreshToken;
         this.kerberosAuthenticationResponseToken = kerberosAuthenticationResponseToken;
-        this.authenticationResponse = authenticationResponse;
+        this.authentication = authentication;
     }
 
     public String getAccessToken() {
@@ -79,7 +79,7 @@ public String getKerberosAuthenticationResponseToken() {
         return kerberosAuthenticationResponseToken;
     }
 
-    public AuthenticateResponse getAuthenticationResponse() { return authenticationResponse; }
+    public AuthenticateResponse getAuthentication() { return authentication; }
 
     @Override
     public boolean equals(Object o) {
@@ -96,12 +96,12 @@ public boolean equals(Object o) {
             Objects.equals(scope, that.scope) &&
             Objects.equals(refreshToken, that.refreshToken) &&
             Objects.equals(kerberosAuthenticationResponseToken, that.kerberosAuthenticationResponseToken)&&
-            Objects.equals(authenticationResponse, that.authenticationResponse);
+            Objects.equals(authentication, that.authentication);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(accessToken, type, expiresIn, scope, refreshToken, kerberosAuthenticationResponseToken, authenticationResponse);
+        return Objects.hash(accessToken, type, expiresIn, scope, refreshToken, kerberosAuthenticationResponseToken, authentication);
     }
 
     private static final ConstructingObjectParser<CreateTokenResponse, Void> PARSER = new ConstructingObjectParser<>(

client/rest-high-level/src/main/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponse.java

@@ -34,14 +34,14 @@ public final class DelegatePkiAuthenticationResponse {
     private final String accessToken;
     private final String type;
     private final TimeValue expiresIn;
-    private final AuthenticateResponse authenticationResponse;
+    private final AuthenticateResponse authentication;
 
     public DelegatePkiAuthenticationResponse(String accessToken, String type, TimeValue expiresIn,
-                                             AuthenticateResponse authenticationResponse) {
+                                             AuthenticateResponse authentication) {
         this.accessToken = accessToken;
         this.type = type;
         this.expiresIn = expiresIn;
-        this.authenticationResponse = authenticationResponse;
+        this.authentication = authentication;
     }
 
     public String getAccessToken() {
@@ -56,7 +56,7 @@ public TimeValue getExpiresIn() {
         return expiresIn;
     }
 
-    public AuthenticateResponse getAuthenticationResponse() { return authenticationResponse; }
+    public AuthenticateResponse getAuthentication() { return authentication; }
 
     @Override
     public boolean equals(Object o) {
@@ -70,12 +70,12 @@ public boolean equals(Object o) {
         return Objects.equals(accessToken, that.accessToken) &&
             Objects.equals(type, that.type) &&
             Objects.equals(expiresIn, that.expiresIn) &&
-            Objects.equals(authenticationResponse, that.authenticationResponse);
+            Objects.equals(authentication, that.authentication);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(accessToken, type, expiresIn, authenticationResponse);
+        return Objects.hash(accessToken, type, expiresIn, authentication);
     }
 
     @SuppressWarnings("unchecked")

client/rest-high-level/src/test/java/org/elasticsearch/client/security/CreateTokenResponseTests.java

@@ -40,7 +40,7 @@ public void testFromXContent() throws IOException {
         final String scope = randomBoolean() ? null : randomAlphaOfLength(4);
         final String type = randomAlphaOfLength(6);
         final String kerberosAuthenticationResponseToken = randomBoolean() ? null : randomAlphaOfLength(7);
-        final AuthenticateResponse authenticateResponse = new AuthenticateResponse(new User(randomAlphaOfLength(7),
+        final AuthenticateResponse authentication = new AuthenticateResponse(new User(randomAlphaOfLength(7),
             Arrays.asList( randomAlphaOfLength(9) )),
             true, new AuthenticateResponse.RealmInfo(randomAlphaOfLength(5), randomAlphaOfLength(7) ),
             new AuthenticateResponse.RealmInfo(randomAlphaOfLength(5), randomAlphaOfLength(5) ), "realm");
@@ -60,7 +60,7 @@ public void testFromXContent() throws IOException {
         if (kerberosAuthenticationResponseToken != null) {
             builder.field("kerberos_authentication_response_token", kerberosAuthenticationResponseToken);
         }
-        builder.field("authentication", authenticateResponse);
+        builder.field("authentication", authentication);
         builder.endObject();
         BytesReference xContent = BytesReference.bytes(builder);
 
@@ -71,6 +71,6 @@ public void testFromXContent() throws IOException {
         assertThat(response.getType(), equalTo(type));
         assertThat(response.getExpiresIn(), equalTo(expiresIn));
         assertThat(response.getKerberosAuthenticationResponseToken(), equalTo(kerberosAuthenticationResponseToken));
-        assertThat(response.getAuthenticationResponse(), equalTo(authenticateResponse));
+        assertThat(response.getAuthentication(), equalTo(authentication));
     }
 }

client/rest-high-level/src/test/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponseTests.java

@@ -61,7 +61,7 @@ protected void assertInstances(org.elasticsearch.xpack.core.security.action.Dele
         assertThat(clientInstance.getType(), is("Bearer"));
         AuthenticateResponse serverAuthenticationResponse = createServerAuthenticationResponse(serverTestInstance.getAuthentication());
         User user = serverTestInstance.getAuthentication().getUser();
-        assertThat(serverAuthenticationResponse, equalTo(clientInstance.getAuthenticationResponse()));
+        assertThat(serverAuthenticationResponse, equalTo(clientInstance.getAuthentication()));
     }
 
     protected Authentication createAuthentication() {

x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc

@@ -99,16 +99,16 @@ Which returns the following response:
       "pki_dn" : "O=org, OU=Elasticsearch, CN=Elasticsearch Test Client",
       "pki_delegated_by_user" : "test_admin",
       "pki_delegated_by_realm" : "file"
-      },
+    },
     "enabled" : true,
     "authentication_realm" : {
       "name" : "pki1",
       "type" : "pki"
-      },
+    },
     "lookup_realm" : {
       "name" : "pki1",
       "type" : "pki"
-      },
+    },
     "authentication_type" : "realm"
   }
 }

x-pack/docs/en/rest-api/security/get-tokens.asciidoc

@@ -125,23 +125,23 @@ seconds) that the token expires in, and the type:
   "type" : "Bearer",
   "expires_in" : 1200,
   "authentication" : {
-   "username" : "test_admin",
-   "roles" : [
-    "superuser"
-   ],
-  "full_name" : null,
-  "email" : null,
-  "metadata" : { },
-  "enabled" : true,
-  "authentication_realm" : {
-   "name" : "file",
-   "type" : "file"
-  },
-  "lookup_realm" : {
-   "name" : "file",
-   "type" : "file"
-  },
-  "authentication_type" : "realm"
+    "username" : "test_admin",
+    "roles" : [
+      "superuser"
+    ],
+    "full_name" : null,
+    "email" : null,
+    "metadata" : { },
+    "enabled" : true,
+    "authentication_realm" : {
+      "name" : "file",
+      "type" : "file"
+    },
+    "lookup_realm" : {
+      "name" : "file",
+      "type" : "file"
+    },
+    "authentication_type" : "realm"
   }
 }
 --------------------------------------------------
@@ -182,23 +182,23 @@ seconds) that the token expires in, the type, and the refresh token:
   "expires_in" : 1200,
   "refresh_token": "vLBPvmAB6KvwvJZr27cS",
   "authentication" : {
-   "username" : "test_admin",
-   "roles" : [
-    "superuser"
+    "username" : "test_admin",
+    "roles" : [
+      "superuser"
     ],
-   "full_name" : null,
-   "email" : null,
-   "metadata" : { },
-   "enabled" : true,
-   "authentication_realm" : {
-    "name" : "file",
-    "type" : "file"
+    "full_name" : null,
+    "email" : null,
+    "metadata" : { },
+    "enabled" : true,
+    "authentication_realm" : {
+      "name" : "file",
+      "type" : "file"
     },
-   "lookup_realm" : {
-    "name" : "file",
-    "type" : "file"
-   },
-   "authentication_type" : "realm"
+    "lookup_realm" : {
+      "name" : "file",
+      "type" : "file"
+    },
+    "authentication_type" : "realm"
   }
 }
 --------------------------------------------------
@@ -232,23 +232,23 @@ be used one time.
   "expires_in" : 1200,
   "refresh_token": "vLBPvmAB6KvwvJZr27cS",
   "authentication" : {
-   "username" : "test_admin",
-   "roles" : [
-    "superuser"
+    "username" : "test_admin",
+    "roles" : [
+      "superuser"
     ],
-   "full_name" : null,
-   "email" : null,
-   "metadata" : { },
-   "enabled" : true,
-   "authentication_realm" : {
-    "name" : "file",
-    "type" : "file"
+    "full_name" : null,
+    "email" : null,
+    "metadata" : { },
+    "enabled" : true,
+    "authentication_realm" : {
+      "name" : "file",
+      "type" : "file"
     },
-   "lookup_realm" : {
-    "name" : "file",
-    "type" : "file"
+    "lookup_realm" : {
+      "name" : "file",
+      "type" : "file"
     },
-   "authentication_type" : "token"
+    "authentication_type" : "token"
   }
 }
 --------------------------------------------------
@@ -282,23 +282,23 @@ Each refresh token may only be used one time. When the mutual authentication is
   "refresh_token": "vLBPvmAB6KvwvJZr27cS"
   "kerberos_authentication_response_token": "YIIB6wYJKoZIhvcSAQICAQBuggHaMIIB1qADAg",
   "authentication" : {
-   "username" : "test_admin",
-   "roles" : [
-    "superuser"
+    "username" : "test_admin",
+    "roles" : [
+      "superuser"
     ],
-   "full_name" : null,
-   "email" : null,
-   "metadata" : { },
-   "enabled" : true,
-   "authentication_realm" : {
-    "name" : "file",
-    "type" : "file"
+    "full_name" : null,
+    "email" : null,
+    "metadata" : { },
+    "enabled" : true,
+    "authentication_realm" : {
+      "name" : "file",
+      "type" : "file"
+    },
+    "lookup_realm" : {
+      "name" : "file",
+      "type" : "file"
     },
-   "lookup_realm" : {
-    "name" : "file",
-    "type" : "file"
-   },
-   "authentication_type" : "realm"
+    "authentication_type" : "realm"
   }
 }
 --------------------------------------------------

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/TokenAuthIntegTests.java

@@ -87,6 +87,7 @@ public void testTokenServiceBootstrapOnNodeJoin() throws Exception {
         final RestHighLevelClient restClient = new TestRestHighLevelClient();
         CreateTokenResponse response = restClient.security().createToken(CreateTokenRequest.passwordGrant(
             SecuritySettingsSource.TEST_USER_NAME, SecuritySettingsSourceField.TEST_PASSWORD.toCharArray()), SECURITY_REQUEST_OPTIONS);
+        assertNotNull(response.getAuthentication());
         for (TokenService tokenService : internalCluster().getInstances(TokenService.class)) {
             PlainActionFuture<UserToken> userTokenFuture = new PlainActionFuture<>();
             tokenService.decodeToken(response.getAccessToken(), userTokenFuture);
@@ -104,7 +105,6 @@ public void testTokenServiceBootstrapOnNodeJoin() throws Exception {
         PlainActionFuture<UserToken> userTokenFuture = new PlainActionFuture<>();
         tokenService.decodeToken(response.getAccessToken(), userTokenFuture);
         assertNotNull(userTokenFuture.actionGet());
-        assertNotNull(response.getAuthenticationResponse());
     }
 
 
@@ -134,7 +134,8 @@ public void testTokenServiceCanRotateKeys() throws Exception {
             assertNotNull(userTokenFuture.actionGet());
             assertNotEquals(activeKeyHash, tokenService.getActiveKeyHash());
         }
-        assertNotNull(response.getAuthenticationResponse());
+        assertNotNull(response.getAuthentication());
+        assertEquals(SecuritySettingsSource.TEST_USER_NAME, response.getAuthentication().getUser().getUsername());
     }
 
     public void testExpiredTokensDeletedAfterExpiration() throws Exception {
@@ -367,7 +368,7 @@ public void testRefreshingToken() throws IOException {
 
         // Assert that we can authenticate with the refreshed access token
         assertAuthenticateWithToken(refreshResponse.getAccessToken(), SecuritySettingsSource.TEST_USER_NAME);
-        assertNotNull(refreshResponse.getAuthenticationResponse());
+        assertNotNull(refreshResponse.getAuthentication());
     }
 
     public void testRefreshingInvalidatedToken() throws IOException {

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthDelegationIntegTests.java

@@ -149,7 +149,8 @@ public void testDelegateThenAuthenticate() throws Exception {
                         optionsBuilder.build());
                 String token = delegatePkiResponse.getAccessToken();
                 assertThat(token, is(notNullValue()));
-                assertNotNull(delegatePkiResponse.getAuthenticationResponse());
+                assertNotNull(delegatePkiResponse.getAuthentication());
+                assertEquals("Elasticsearch Test Client", delegatePkiResponse.getAuthentication().getUser().getUsername());
 
                 // authenticate
                 optionsBuilder = RequestOptions.DEFAULT.toBuilder();
@@ -189,7 +190,7 @@ public void testTokenInvalidate() throws Exception {
                     optionsBuilder.build());
             String token = delegatePkiResponse.getAccessToken();
             assertThat(token, is(notNullValue()));
-            assertNotNull(delegatePkiResponse.getAuthenticationResponse());
+            assertNotNull(delegatePkiResponse.getAuthentication());
             // authenticate
             optionsBuilder = RequestOptions.DEFAULT.toBuilder();
             optionsBuilder.addHeader("Authorization", "Bearer " + token);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/oidc/RestOpenIdConnectAuthenticateAction.java

@@ -70,7 +70,9 @@ public RestResponse buildResponse(OpenIdConnectAuthenticateResponse response, XC
                         builder.field("access_token", response.getAccessTokenString());
                         builder.field("refresh_token", response.getRefreshTokenString());
                         builder.field("expires_in", response.getExpiresIn().seconds());
-                        builder.field("authentication", response.getAuthentication());
+                        if(response.getAuthentication() != null) {
+                            builder.field("authentication", response.getAuthentication());
+                        }
                         builder.endObject();
                         return new BytesRestResponse(RestStatus.OK, builder);
                     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlAuthenticateAction.java

@@ -103,7 +103,9 @@ public RestResponse buildResponse(SamlAuthenticateResponse response, XContentBui
                         builder.field("access_token", response.getTokenString());
                         builder.field("refresh_token", response.getRefreshToken());
                         builder.field("expires_in", response.getExpiresIn().seconds());
-                        builder.field("authentication", response.getAuthentication());
+                        if(response.getAuthentication() != null) {
+                            builder.field("authentication", response.getAuthentication());
+                        }
                         builder.endObject();
                         return new BytesRestResponse(RestStatus.OK, builder);
                     }

x-pack/qa/oidc-op-tests/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthIT.java

@@ -421,6 +421,7 @@ private Tuple<String, String> completeAuthentication(String redirectUri, String
             assertNotNull(responseBody.get("access_token"));
             assertNotNull(responseBody.get("refresh_token"));
             assertNotNull(responseBody.get("authentication"));
+            assertEquals("alice", ((Map)responseBody.get("authentication")).get("username"));
             return Tuple.tuple(responseBody.get("access_token").toString(), responseBody.get("refresh_token").toString());
         }
     }

x-pack/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java

@@ -207,6 +207,7 @@ private Tuple<String, String> loginViaSaml(String realmName) throws Exception {
             final Object authentication = result.get("authentication");
             assertThat(authentication, notNullValue());
             assertThat(authentication, instanceOf(Map.class));
+            assertEquals("thor", ((Map)authentication).get("username"));
 
             return new Tuple<>((String) accessToken, (String) refreshToken);
         }