From d2f62c38e64a48bb73b84c7ff29e8229b4fd2624 Mon Sep 17 00:00:00 2001 From: lcawl Date: Mon, 30 Dec 2024 19:40:07 -0800 Subject: [PATCH 1/7] Add OpenID Connect prepare authentication specification --- output/openapi/elasticsearch-openapi.json | 54 +++++++++++ output/schema/schema.json | 109 +++++++++++++++++++++- output/schema/validation-errors.json | 6 -- output/typescript/types.ts | 13 +++ 4 files changed, 173 insertions(+), 9 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 3f2bbbe3dd..a9340a595a 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -30811,6 +30811,60 @@ "x-state": "Added in 8.3.0" } }, + "/_security/oidc/prepare": { + "post": { + "tags": [ + "security" + ], + "summary": "Prepare OpenID connect authentication", + "description": "Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "operationId": "security-oidc-prepare-authentication", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "iss": { + "description": "In the case of a third party initiated single sign on, this is the issuer identifier for the OP that the RP is to send the authentication request to.\nIt cannot be specified when *realm* is specified.\nOne of *realm* or *iss* is required.", + "type": "string" + }, + "login_hint": { + "description": "In the case of a third party initiated single sign on, it is a string value that is included in the authentication request as the *login_hint* parameter.\nThis parameter is not valid when *realm* is specified.", + "type": "string" + }, + "nonce": { + "description": "The value used to associate a client session with an ID token and to mitigate replay attacks.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "type": "string" + }, + "realm": { + "description": "The name of the OpenID Connect realm in Elasticsearch the configuration of which should be used in order to generate the authentication request.\nIt cannot be specified when *iss* is specified.\nOne of *realm* or *iss* is required.", + "type": "string" + }, + "state": { + "description": "The value used to maintain state between the authentication request and the response, typically used as a Cross-Site Request Forgery mitigation.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "type": "string" + } + } + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object" + } + } + } + } + } + } + }, "/_security/_query/api_key": { "get": { "tags": [ diff --git a/output/schema/schema.json b/output/schema/schema.json index e94235fd62..9561b5db53 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -17077,15 +17077,21 @@ "visibility": "public" } }, - "description": "Creates an OAuth 2.0 authentication request as a URL string", + "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-prepare-authentication.html", "name": "security.oidc_prepare_authentication", - "request": null, + "request": { + "name": "Request", + "namespace": "security.oidc_prepare_authentication" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.oidc_prepare_authentication" + }, "responseMediaType": [ "application/json" ], @@ -197806,6 +197812,103 @@ }, "specLocation": "security/invalidate_token/SecurityInvalidateTokenResponse.ts#L23-L30" }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "In the case of a third party initiated single sign on, this is the issuer identifier for the OP that the RP is to send the authentication request to.\nIt cannot be specified when *realm* is specified.\nOne of *realm* or *iss* is required.", + "name": "iss", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "In the case of a third party initiated single sign on, it is a string value that is included in the authentication request as the *login_hint* parameter.\nThis parameter is not valid when *realm* is specified.", + "name": "login_hint", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The value used to associate a client session with an ID token and to mitigate replay attacks.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "name": "nonce", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The name of the OpenID Connect realm in Elasticsearch the configuration of which should be used in order to generate the authentication request.\nIt cannot be specified when *iss* is specified.\nOne of *realm* or *iss* is required.", + "name": "realm", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The value used to maintain state between the authentication request and the response, typically used as a Cross-Site Request Forgery mitigation.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "name": "state", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.oidc_prepare_authentication" + }, + "path": [], + "query": [], + "specLocation": "security/oidc_prepare_authentication/Request.ts#L22-L62" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [] + }, + "name": { + "name": "Response", + "namespace": "security.oidc_prepare_authentication" + }, + "specLocation": "security/oidc_prepare_authentication/Response.ts#L22-L25" + }, { "kind": "interface", "name": { diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index e5b3308da8..0764c40d03 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -690,12 +690,6 @@ ], "response": [] }, - "security.oidc_prepare_authentication": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.update_settings": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index f9d4f74893..54d2ab26f8 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -18635,6 +18635,19 @@ export interface SecurityInvalidateTokenResponse { previously_invalidated_tokens: long } +export interface SecurityOidcPrepareAuthenticationRequest extends RequestBase { + body?: { + iss?: string + login_hint?: string + nonce?: string + realm?: string + state?: string + } +} + +export interface SecurityOidcPrepareAuthenticationResponse { +} + export interface SecurityPutPrivilegesActions { actions: string[] application?: string From 12890bb82a7849122fb3a558a4228cf2eae9b4cf Mon Sep 17 00:00:00 2001 From: lcawl Date: Tue, 31 Dec 2024 11:38:38 -0800 Subject: [PATCH 2/7] Add response --- output/schema/schema.json | 49 ++++++++++++++++++++++++++++++++++++-- output/typescript/types.ts | 4 ++++ 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/output/schema/schema.json b/output/schema/schema.json index 9561b5db53..e691265cee 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -197901,13 +197901,58 @@ "kind": "response", "body": { "kind": "properties", - "properties": [] + "properties": [ + { + "name": "nonce", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "realm", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "redirect", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "state", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] }, "name": { "name": "Response", "namespace": "security.oidc_prepare_authentication" }, - "specLocation": "security/oidc_prepare_authentication/Response.ts#L22-L25" + "specLocation": "security/oidc_prepare_authentication/Response.ts#L20-L27" }, { "kind": "interface", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 54d2ab26f8..f58929aff6 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -18646,6 +18646,10 @@ export interface SecurityOidcPrepareAuthenticationRequest extends RequestBase { } export interface SecurityOidcPrepareAuthenticationResponse { + nonce: string + realm: string + redirect: string + state: string } export interface SecurityPutPrivilegesActions { From 08f06d171fd6346f28b91badc161058ece78096a Mon Sep 17 00:00:00 2001 From: lcawl Date: Tue, 31 Dec 2024 11:41:07 -0800 Subject: [PATCH 3/7] Add request and response --- .../oidc_prepare_authentication/Request.ts | 62 +++++++++++++++++++ .../oidc_prepare_authentication/Response.ts | 27 ++++++++ 2 files changed, 89 insertions(+) create mode 100644 specification/security/oidc_prepare_authentication/Request.ts create mode 100644 specification/security/oidc_prepare_authentication/Response.ts diff --git a/specification/security/oidc_prepare_authentication/Request.ts b/specification/security/oidc_prepare_authentication/Request.ts new file mode 100644 index 0000000000..b6bfc33440 --- /dev/null +++ b/specification/security/oidc_prepare_authentication/Request.ts @@ -0,0 +1,62 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Prepare OpenID connect authentication. + * Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch. + * + * The response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process. + * + * Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * @rest_spec_name security.oidc_prepare_authentication + * @availability stack stability=stable visibility=public + */ +export interface Request extends RequestBase { + body: { + /** + * In the case of a third party initiated single sign on, this is the issuer identifier for the OP that the RP is to send the authentication request to. + * It cannot be specified when *realm* is specified. + * One of *realm* or *iss* is required. + */ + iss?: string + /** + * In the case of a third party initiated single sign on, it is a string value that is included in the authentication request as the *login_hint* parameter. + * This parameter is not valid when *realm* is specified. + */ + login_hint?: string + /** + * The value used to associate a client session with an ID token and to mitigate replay attacks. + * If the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response. + */ + nonce?: string + /** + * The name of the OpenID Connect realm in Elasticsearch the configuration of which should be used in order to generate the authentication request. + * It cannot be specified when *iss* is specified. + * One of *realm* or *iss* is required. + */ + realm?: string + /** + * The value used to maintain state between the authentication request and the response, typically used as a Cross-Site Request Forgery mitigation. + * If the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response. + */ + state?: string + } +} diff --git a/specification/security/oidc_prepare_authentication/Response.ts b/specification/security/oidc_prepare_authentication/Response.ts new file mode 100644 index 0000000000..6e42b7c25e --- /dev/null +++ b/specification/security/oidc_prepare_authentication/Response.ts @@ -0,0 +1,27 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +export class Response { + body: { + nonce: string + realm: string + redirect: string + state: string + } +} From e7cb80ba084821050d2c2daa99b8032bdcab6a39 Mon Sep 17 00:00:00 2001 From: lcawl Date: Tue, 31 Dec 2024 12:19:00 -0800 Subject: [PATCH 4/7] Add security.oidc_authenticate specification --- .../security/oidc_authenticate/Request.ts | 53 +++++++++++++++++++ .../security/oidc_authenticate/Response.ts | 29 ++++++++++ 2 files changed, 82 insertions(+) create mode 100644 specification/security/oidc_authenticate/Request.ts create mode 100644 specification/security/oidc_authenticate/Response.ts diff --git a/specification/security/oidc_authenticate/Request.ts b/specification/security/oidc_authenticate/Request.ts new file mode 100644 index 0000000000..bead6b06d5 --- /dev/null +++ b/specification/security/oidc_authenticate/Request.ts @@ -0,0 +1,53 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Authenticate OpenID Connect. + * Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. + * + * Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. + * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * @rest_spec_name security.oidc_authenticate + * @availability stack stability=stable visibility=public + */ +export interface Request extends RequestBase { + body: { + /** + * Associate a client session with an ID token and mitigate replay attacks. + * This value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call. + */ + nonce: string + /** + * The name of the OpenID Connect realm. + * This property is useful in cases where multiple realms are defined. */ + realm?: string + /** + * The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request after a successful authentication. + * This URL must be provided as-is (URL encoded), taken from the body of the response or as the value of a location header in the response from the OpenID Connect Provider. + */ + redirect_uri: string + /** + * Maintain state between the authentication request and the response. + * This value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call. + */ + state: string + } +} diff --git a/specification/security/oidc_authenticate/Response.ts b/specification/security/oidc_authenticate/Response.ts new file mode 100644 index 0000000000..3dd4106f5a --- /dev/null +++ b/specification/security/oidc_authenticate/Response.ts @@ -0,0 +1,29 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { integer } from '@_types/Numeric' + +export class Response { + body: { + access_token: string + expires_in: integer + refresh_token: string + type: string + } +} From a9743d3b3228f84f2095a8f5955c92b95ef0bde8 Mon Sep 17 00:00:00 2001 From: lcawl Date: Tue, 31 Dec 2024 12:20:05 -0800 Subject: [PATCH 5/7] Generate output --- output/openapi/elasticsearch-openapi.json | 97 ++++++++++++++- output/schema/schema.json | 142 +++++++++++++++++++++- output/schema/validation-errors.json | 6 - output/typescript/types.ts | 16 +++ 4 files changed, 251 insertions(+), 10 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index bc40609551..94f6b7b94b 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -30811,6 +30811,81 @@ "x-state": "Added in 8.3.0" } }, + "/_security/oidc/authenticate": { + "post": { + "tags": [ + "security" + ], + "summary": "Authenticate OpenID Connect", + "description": "Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "operationId": "security-oidc-authenticate", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "nonce": { + "description": "Associate a client session with an ID token and mitigate replay attacks.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "type": "string" + }, + "realm": { + "description": "The name of the OpenID Connect realm.\nThis property is useful in cases where multiple realms are defined.", + "type": "string" + }, + "redirect_uri": { + "description": "The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request after a successful authentication.\nThis URL must be provided as-is (URL encoded), taken from the body of the response or as the value of a location header in the response from the OpenID Connect Provider.", + "type": "string" + }, + "state": { + "description": "Maintain state between the authentication request and the response.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "type": "string" + } + }, + "required": [ + "nonce", + "redirect_uri", + "state" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "number" + }, + "refresh_token": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "access_token", + "expires_in", + "refresh_token", + "type" + ] + } + } + } + } + } + } + }, "/_security/oidc/prepare": { "post": { "tags": [ @@ -30857,7 +30932,27 @@ "content": { "application/json": { "schema": { - "type": "object" + "type": "object", + "properties": { + "nonce": { + "type": "string" + }, + "realm": { + "type": "string" + }, + "redirect": { + "type": "string" + }, + "state": { + "type": "string" + } + }, + "required": [ + "nonce", + "realm", + "redirect", + "state" + ] } } } diff --git a/output/schema/schema.json b/output/schema/schema.json index 7580da25ec..3b33a112b9 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -17036,15 +17036,21 @@ "visibility": "public" } }, - "description": "Exchanges an OpenID Connection authentication response message for an Elasticsearch access token and refresh token pair", + "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-authenticate.html", "name": "security.oidc_authenticate", - "request": null, + "request": { + "name": "Request", + "namespace": "security.oidc_authenticate" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.oidc_authenticate" + }, "responseMediaType": [ "application/json" ], @@ -197827,6 +197833,136 @@ }, "specLocation": "security/invalidate_token/SecurityInvalidateTokenResponse.ts#L23-L30" }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "Associate a client session with an ID token and mitigate replay attacks.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "name": "nonce", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The name of the OpenID Connect realm.\nThis property is useful in cases where multiple realms are defined.", + "name": "realm", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request after a successful authentication.\nThis URL must be provided as-is (URL encoded), taken from the body of the response or as the value of a location header in the response from the OpenID Connect Provider.", + "name": "redirect_uri", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "Maintain state between the authentication request and the response.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "name": "state", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.oidc_authenticate" + }, + "path": [], + "query": [], + "specLocation": "security/oidc_authenticate/Request.ts#L22-L53" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "name": "access_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "expires_in", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "integer", + "namespace": "_types" + } + } + }, + { + "name": "refresh_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "type", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.oidc_authenticate" + }, + "specLocation": "security/oidc_authenticate/Response.ts#L22-L29" + }, { "kind": "request", "attachedBehaviors": [ diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index 0764c40d03..40d457ae38 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -678,12 +678,6 @@ ], "response": [] }, - "security.oidc_authenticate": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.oidc_logout": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index f58929aff6..28ea9a12c9 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -18635,6 +18635,22 @@ export interface SecurityInvalidateTokenResponse { previously_invalidated_tokens: long } +export interface SecurityOidcAuthenticateRequest extends RequestBase { + body?: { + nonce: string + realm?: string + redirect_uri: string + state: string + } +} + +export interface SecurityOidcAuthenticateResponse { + access_token: string + expires_in: integer + refresh_token: string + type: string +} + export interface SecurityOidcPrepareAuthenticationRequest extends RequestBase { body?: { iss?: string From a0f29c24ffe9d0f300349fc72fbebba92f4214dc Mon Sep 17 00:00:00 2001 From: lcawl Date: Tue, 31 Dec 2024 12:39:17 -0800 Subject: [PATCH 6/7] Add OIDC logout specification --- .../security/oidc_authenticate/Request.ts | 2 +- .../security/oidc_authenticate/Response.ts | 12 +++++ specification/security/oidc_logout/Request.ts | 44 +++++++++++++++++++ .../security/oidc_logout/Response.ts | 27 ++++++++++++ .../oidc_prepare_authentication/Request.ts | 3 +- .../oidc_prepare_authentication/Response.ts | 3 ++ 6 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 specification/security/oidc_logout/Request.ts create mode 100644 specification/security/oidc_logout/Response.ts diff --git a/specification/security/oidc_authenticate/Request.ts b/specification/security/oidc_authenticate/Request.ts index bead6b06d5..197830fa9f 100644 --- a/specification/security/oidc_authenticate/Request.ts +++ b/specification/security/oidc_authenticate/Request.ts @@ -23,7 +23,7 @@ import { RequestBase } from '@_types/Base' * Authenticate OpenID Connect. * Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. * - * Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. + * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. * @rest_spec_name security.oidc_authenticate * @availability stack stability=stable visibility=public diff --git a/specification/security/oidc_authenticate/Response.ts b/specification/security/oidc_authenticate/Response.ts index 3dd4106f5a..3a5988bdbd 100644 --- a/specification/security/oidc_authenticate/Response.ts +++ b/specification/security/oidc_authenticate/Response.ts @@ -21,9 +21,21 @@ import { integer } from '@_types/Numeric' export class Response { body: { + /** + * The Elasticsearch access token. + */ access_token: string + /** + * The duration (in seconds) of the tokens. + */ expires_in: integer + /** + * The Elasticsearch refresh token. + */ refresh_token: string + /** + * The type of token. + */ type: string } } diff --git a/specification/security/oidc_logout/Request.ts b/specification/security/oidc_logout/Request.ts new file mode 100644 index 0000000000..80d2251351 --- /dev/null +++ b/specification/security/oidc_logout/Request.ts @@ -0,0 +1,44 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Logout of OpenID Connect. + * Invalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API. + * + * If the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout. + * + * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. + * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * @rest_spec_name security.oidc_logout + * @availability stack stability=stable visibility=public + */ +export interface Request extends RequestBase { + body: { + /** + * The access token to be invalidated. + */ + access_token: string + /** + * The refresh token to be invalidated. + */ + refresh_token?: string + } +} diff --git a/specification/security/oidc_logout/Response.ts b/specification/security/oidc_logout/Response.ts new file mode 100644 index 0000000000..e28c4d38c5 --- /dev/null +++ b/specification/security/oidc_logout/Response.ts @@ -0,0 +1,27 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +export class Response { + body: { + /** + * A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters. + */ + redirect: string + } +} diff --git a/specification/security/oidc_prepare_authentication/Request.ts b/specification/security/oidc_prepare_authentication/Request.ts index b6bfc33440..8d028c7006 100644 --- a/specification/security/oidc_prepare_authentication/Request.ts +++ b/specification/security/oidc_prepare_authentication/Request.ts @@ -25,7 +25,8 @@ import { RequestBase } from '@_types/Base' * * The response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process. * - * Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. + * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. * @rest_spec_name security.oidc_prepare_authentication * @availability stack stability=stable visibility=public */ diff --git a/specification/security/oidc_prepare_authentication/Response.ts b/specification/security/oidc_prepare_authentication/Response.ts index 6e42b7c25e..0300f62ced 100644 --- a/specification/security/oidc_prepare_authentication/Response.ts +++ b/specification/security/oidc_prepare_authentication/Response.ts @@ -21,6 +21,9 @@ export class Response { body: { nonce: string realm: string + /** + * A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters. + */ redirect: string state: string } From 1069bebd12aa71f2e56a19febd1e8d7c2055b713 Mon Sep 17 00:00:00 2001 From: lcawl Date: Tue, 31 Dec 2024 12:49:10 -0800 Subject: [PATCH 7/7] Generate output --- output/openapi/elasticsearch-openapi.json | 63 +++++++++- output/schema/schema.json | 116 +++++++++++++++--- output/schema/validation-errors.json | 6 - output/typescript/types.ts | 11 ++ specification/_doc_ids/table.csv | 3 + .../security/oidc_authenticate/Request.ts | 1 + specification/security/oidc_logout/Request.ts | 1 + .../oidc_prepare_authentication/Request.ts | 1 + 8 files changed, 180 insertions(+), 22 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 94f6b7b94b..9bebcb831f 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -30817,7 +30817,7 @@ "security" ], "summary": "Authenticate OpenID Connect", - "description": "Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "description": "Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", "operationId": "security-oidc-authenticate", "requestBody": { "content": { @@ -30861,15 +30861,19 @@ "type": "object", "properties": { "access_token": { + "description": "The Elasticsearch access token.", "type": "string" }, "expires_in": { + "description": "The duration (in seconds) of the tokens.", "type": "number" }, "refresh_token": { + "description": "The Elasticsearch refresh token.", "type": "string" }, "type": { + "description": "The type of token.", "type": "string" } }, @@ -30886,13 +30890,67 @@ } } }, + "/_security/oidc/logout": { + "post": { + "tags": [ + "security" + ], + "summary": "Logout of OpenID Connect", + "description": "Invalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.\n\nIf the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "operationId": "security-oidc-logout", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access_token": { + "description": "The access token to be invalidated.", + "type": "string" + }, + "refresh_token": { + "description": "The refresh token to be invalidated.", + "type": "string" + } + }, + "required": [ + "access_token" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "redirect": { + "description": "A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters.", + "type": "string" + } + }, + "required": [ + "redirect" + ] + } + } + } + } + } + } + }, "/_security/oidc/prepare": { "post": { "tags": [ "security" ], "summary": "Prepare OpenID connect authentication", - "description": "Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "description": "Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", "operationId": "security-oidc-prepare-authentication", "requestBody": { "content": { @@ -30941,6 +30999,7 @@ "type": "string" }, "redirect": { + "description": "A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters.", "type": "string" }, "state": { diff --git a/output/schema/schema.json b/output/schema/schema.json index 3b33a112b9..6281e28ed8 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -17036,8 +17036,9 @@ "visibility": "public" } }, - "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-authenticate.html", + "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "docId": "security-api-oidc-authenticate", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-authenticate.html", "name": "security.oidc_authenticate", "request": { "name": "Request", @@ -17070,15 +17071,22 @@ "visibility": "public" } }, - "description": "Invalidates a refresh token and access token that was generated from the OpenID Connect Authenticate API", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-logout.html", + "description": "Logout of OpenID Connect.\nInvalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.\n\nIf the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "docId": "security-api-oidc-logout", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-logout.html", "name": "security.oidc_logout", - "request": null, + "request": { + "name": "Request", + "namespace": "security.oidc_logout" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.oidc_logout" + }, "responseMediaType": [ "application/json" ], @@ -17098,8 +17106,9 @@ "visibility": "public" } }, - "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-prepare-authentication.html", + "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "docId": "security-api-oidc-prepare", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-prepare-authentication.html", "name": "security.oidc_prepare_authentication", "request": { "name": "Request", @@ -197891,7 +197900,7 @@ } ] }, - "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", "inherits": { "type": { "name": "RequestBase", @@ -197904,7 +197913,7 @@ }, "path": [], "query": [], - "specLocation": "security/oidc_authenticate/Request.ts#L22-L53" + "specLocation": "security/oidc_authenticate/Request.ts#L22-L54" }, { "kind": "response", @@ -197912,6 +197921,7 @@ "kind": "properties", "properties": [ { + "description": "The Elasticsearch access token.", "name": "access_token", "required": true, "type": { @@ -197923,6 +197933,7 @@ } }, { + "description": "The duration (in seconds) of the tokens.", "name": "expires_in", "required": true, "type": { @@ -197934,6 +197945,7 @@ } }, { + "description": "The Elasticsearch refresh token.", "name": "refresh_token", "required": true, "type": { @@ -197945,6 +197957,7 @@ } }, { + "description": "The type of token.", "name": "type", "required": true, "type": { @@ -197961,7 +197974,81 @@ "name": "Response", "namespace": "security.oidc_authenticate" }, - "specLocation": "security/oidc_authenticate/Response.ts#L22-L29" + "specLocation": "security/oidc_authenticate/Response.ts#L22-L41" + }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "The access token to be invalidated.", + "name": "access_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The refresh token to be invalidated.", + "name": "refresh_token", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "description": "Logout of OpenID Connect.\nInvalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.\n\nIf the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.oidc_logout" + }, + "path": [], + "query": [], + "specLocation": "security/oidc_logout/Request.ts#L22-L45" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "description": "A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters.", + "name": "redirect", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.oidc_logout" + }, + "specLocation": "security/oidc_logout/Response.ts#L20-L27" }, { "kind": "request", @@ -198033,7 +198120,7 @@ } ] }, - "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", "inherits": { "type": { "name": "RequestBase", @@ -198046,7 +198133,7 @@ }, "path": [], "query": [], - "specLocation": "security/oidc_prepare_authentication/Request.ts#L22-L62" + "specLocation": "security/oidc_prepare_authentication/Request.ts#L22-L64" }, { "kind": "response", @@ -198076,6 +198163,7 @@ } }, { + "description": "A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters.", "name": "redirect", "required": true, "type": { @@ -198103,7 +198191,7 @@ "name": "Response", "namespace": "security.oidc_prepare_authentication" }, - "specLocation": "security/oidc_prepare_authentication/Response.ts#L20-L27" + "specLocation": "security/oidc_prepare_authentication/Response.ts#L20-L30" }, { "kind": "interface", diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index 40d457ae38..fb67b5ff43 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -678,12 +678,6 @@ ], "response": [] }, - "security.oidc_logout": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.update_settings": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 28ea9a12c9..e82d7c9a94 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -18651,6 +18651,17 @@ export interface SecurityOidcAuthenticateResponse { type: string } +export interface SecurityOidcLogoutRequest extends RequestBase { + body?: { + access_token: string + refresh_token?: string + } +} + +export interface SecurityOidcLogoutResponse { + redirect: string +} + export interface SecurityOidcPrepareAuthenticationRequest extends RequestBase { body?: { iss?: string diff --git a/specification/_doc_ids/table.csv b/specification/_doc_ids/table.csv index f6a72b8fd7..3b057b40f6 100644 --- a/specification/_doc_ids/table.csv +++ b/specification/_doc_ids/table.csv @@ -591,6 +591,9 @@ security-api-invalidate-api-key,https://www.elastic.co/guide/en/elasticsearch/re security-api-invalidate-token,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-invalidate-token.html security-api-kibana-enrollment,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-kibana-enrollment.html security-api-node-enrollment,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-node-enrollment.html +security-api-oidc-authenticate,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-authenticate.html +security-api-oidc-logout,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-logout.html +security-api-oidc-prepare,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-prepare-authentication.html security-api-put-privileges,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-put-privileges.html security-api-put-role-mapping,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-put-role-mapping.html security-api-put-role,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-put-role.html diff --git a/specification/security/oidc_authenticate/Request.ts b/specification/security/oidc_authenticate/Request.ts index 197830fa9f..ca422e2402 100644 --- a/specification/security/oidc_authenticate/Request.ts +++ b/specification/security/oidc_authenticate/Request.ts @@ -27,6 +27,7 @@ import { RequestBase } from '@_types/Base' * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. * @rest_spec_name security.oidc_authenticate * @availability stack stability=stable visibility=public + * @doc_id security-api-oidc-authenticate */ export interface Request extends RequestBase { body: { diff --git a/specification/security/oidc_logout/Request.ts b/specification/security/oidc_logout/Request.ts index 80d2251351..5a4dd3bd4a 100644 --- a/specification/security/oidc_logout/Request.ts +++ b/specification/security/oidc_logout/Request.ts @@ -29,6 +29,7 @@ import { RequestBase } from '@_types/Base' * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. * @rest_spec_name security.oidc_logout * @availability stack stability=stable visibility=public + * @doc_id security-api-oidc-logout */ export interface Request extends RequestBase { body: { diff --git a/specification/security/oidc_prepare_authentication/Request.ts b/specification/security/oidc_prepare_authentication/Request.ts index 8d028c7006..354dc6afb5 100644 --- a/specification/security/oidc_prepare_authentication/Request.ts +++ b/specification/security/oidc_prepare_authentication/Request.ts @@ -29,6 +29,7 @@ import { RequestBase } from '@_types/Base' * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. * @rest_spec_name security.oidc_prepare_authentication * @availability stack stability=stable visibility=public + * @doc_id security-api-oidc-prepare */ export interface Request extends RequestBase { body: {