Update oauth2-oidc-sdk to 7.0 (#52489) (#52806)

Resolves: #48409
Other changes:
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect
-extensions/src/7.0.2/CHANGELOG.txt

x-pack/plugin/security/build.gradle

@@ -58,8 +58,8 @@ dependencies {
   compile 'com.google.guava:guava:19.0'
 
   // Dependencies for oidc
-  compile "com.nimbusds:oauth2-oidc-sdk:6.16.5"
-  compile "com.nimbusds:nimbus-jose-jwt:8.2"
+  compile "com.nimbusds:oauth2-oidc-sdk:7.0.2"
+  compile "com.nimbusds:nimbus-jose-jwt:8.6"
   compile "com.nimbusds:lang-tag:1.4.4"
   compile "com.sun.mail:jakarta.mail:1.6.3"
   compile "net.jcip:jcip-annotations:1.0"
@@ -84,7 +84,7 @@ dependencies {
   testCompile('org.apache.kerby:kerb-crypto:1.1.1')
   testCompile('org.apache.kerby:kerb-util:1.1.1')
   testCompile('org.apache.kerby:token-provider:1.1.1')
-  testCompile('com.nimbusds:nimbus-jose-jwt:8.2')
+  testCompile('com.nimbusds:nimbus-jose-jwt:8.6')
   testCompile('net.jcip:jcip-annotations:1.0')
   testCompile('org.apache.kerby:kerb-admin:1.1.1')
   testCompile('org.apache.kerby:kerb-server:1.1.1')
@@ -273,6 +273,7 @@ thirdPartyAudit {
         'org.slf4j.ext.EventData',
         // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
         'org.cryptomator.siv.SivMode',
+        'com.nimbusds.common.contenttype.ContentType',
         // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
         'com.google.crypto.tink.subtle.Ed25519Sign',
         'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',

x-pack/plugin/security/licenses/nimbus-jose-jwt-8.2.jar.sha1

@@ -1 +0,0 @@
-3cc99de85969253f2f085c39d87124e21011ae74

x-pack/plugin/security/licenses/nimbus-jose-jwt-8.6.jar.sha1

@@ -0,0 +1 @@
+93ae6d9f03a4160e5c3ca7d0c9e6b88efbfa26e7

x-pack/plugin/security/licenses/oauth2-oidc-sdk-6.16.5.jar.sha1

@@ -1 +0,0 @@
-690bf0290fe0c03dabfb43566dbd334f78ddce84

x-pack/plugin/security/licenses/oauth2-oidc-sdk-7.0.2.jar.sha1

@@ -0,0 +1 @@
+3537c76a7ac72a1745f433cac63a254a45c57410

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java

@@ -16,6 +16,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.RestUtils;
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
@@ -33,6 +34,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -46,6 +48,7 @@ import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.mockito.Matchers.any;
@@ -253,9 +256,33 @@ public class OpenIdConnectRealmTests extends OpenIdConnectTestCase {
         // Random strings, as we will not validate the token here
         final JWT idToken = generateIdToken(randomAlphaOfLength(8), randomAlphaOfLength(8), randomAlphaOfLength(8));
         final OpenIdConnectLogoutResponse logoutResponse = realm.buildLogoutResponse(idToken);
-        assertThat(logoutResponse.getEndSessionUrl(), containsString("https://op.example.org/logout?id_token_hint="));
-        assertThat(logoutResponse.getEndSessionUrl(),
-            containsString("&post_logout_redirect_uri=https%3A%2F%2Frp.elastic.co%2Fsucc_logout&state="));
+        final String endSessionUrl = logoutResponse.getEndSessionUrl();
+        final Map<String, String> parameters = new HashMap<>();
+        RestUtils.decodeQueryString(endSessionUrl, endSessionUrl.indexOf("?") + 1, parameters);
+        assertThat(parameters.size(), equalTo(3));
+        assertThat(parameters, hasKey("id_token_hint"));
+        assertThat(parameters, hasKey("post_logout_redirect_uri"));
+        assertThat(parameters, hasKey("state"));
+    }
+
+    public void testBuildLogoutResponseFromEndsessionEndpointWithExistingParameters() throws Exception {
+        final Settings.Builder realmSettingsWithFunkyEndpoint = getBasicRealmSettings();
+        realmSettingsWithFunkyEndpoint.put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_ENDSESSION_ENDPOINT),
+            "https://op.example.org/logout?parameter=123");
+        final OpenIdConnectRealm realm = new OpenIdConnectRealm(buildConfig(realmSettingsWithFunkyEndpoint.build(), threadContext), null,
+            null);
+
+        // Random strings, as we will not validate the token here
+        final JWT idToken = generateIdToken(randomAlphaOfLength(8), randomAlphaOfLength(8), randomAlphaOfLength(8));
+        final OpenIdConnectLogoutResponse logoutResponse = realm.buildLogoutResponse(idToken);
+        final String endSessionUrl = logoutResponse.getEndSessionUrl();
+        final Map<String, String> parameters = new HashMap<>();
+        RestUtils.decodeQueryString(endSessionUrl, endSessionUrl.indexOf("?") + 1, parameters);
+        assertThat(parameters.size(), equalTo(4));
+        assertThat(parameters, hasKey("parameter"));
+        assertThat(parameters, hasKey("post_logout_redirect_uri"));
+        assertThat(parameters, hasKey("state"));
+        assertThat(parameters, hasKey("id_token_hint"));
     }
 
     public void testBuildingAuthenticationRequestWithExistingStateAndNonce() {