[OIDC] only perform Token Endpoint Requests for the appropriate realm

[jkakavas]

If many OpenID Connect realms are configured for a given Elasticsearch node, upon receiving a request to the _security/oidc/authenticate endpoint with an OIDC authentication response from the OP, we will proceed to attempt and validate that authentication response in all the realms that are configured, in the order defined. In the case that

1. Many oidc realms are configured
2. the oidc realm that the user aims to use is not the one with the lower order value
3. authorization code grant flow is used

Elasticsearch will send out requests to the Token Endpoints of all the OPs that are configured in the realms with lower order. This has the following disadvantages:

• An extra network round-trip for each defined oidc realm with lower order.
• Authorization Code leakage as all other OPs get to see an authorization code that is meant for the OP the user wanted to use in this case. There are other mitigating factors in this case:
  • Authorization codes are supposed to be short lived and one use only.
  • OPs should require client authentication for access to the TokenEndpoint.
  • OPs should validate that the code submitted in Token Request, was issued the the
    client that is currently authenticated.

We could accept an optional parameter in the _security/oidc/authenticate API to indicate the realm name that should be used to validate this request.

[elasticmachine]

Pinging @elastic/es-security

[jkakavas]

Resolved by #45767