diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index df94e7547b..f7157efc6e 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -30822,6 +30822,214 @@ "x-state": "Added in 8.3.0" } }, + "/_security/oidc/authenticate": { + "post": { + "tags": [ + "security" + ], + "summary": "Authenticate OpenID Connect", + "description": "Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "operationId": "security-oidc-authenticate", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "nonce": { + "description": "Associate a client session with an ID token and mitigate replay attacks.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "type": "string" + }, + "realm": { + "description": "The name of the OpenID Connect realm.\nThis property is useful in cases where multiple realms are defined.", + "type": "string" + }, + "redirect_uri": { + "description": "The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request after a successful authentication.\nThis URL must be provided as-is (URL encoded), taken from the body of the response or as the value of a location header in the response from the OpenID Connect Provider.", + "type": "string" + }, + "state": { + "description": "Maintain state between the authentication request and the response.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "type": "string" + } + }, + "required": [ + "nonce", + "redirect_uri", + "state" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access_token": { + "description": "The Elasticsearch access token.", + "type": "string" + }, + "expires_in": { + "description": "The duration (in seconds) of the tokens.", + "type": "number" + }, + "refresh_token": { + "description": "The Elasticsearch refresh token.", + "type": "string" + }, + "type": { + "description": "The type of token.", + "type": "string" + } + }, + "required": [ + "access_token", + "expires_in", + "refresh_token", + "type" + ] + } + } + } + } + } + } + }, + "/_security/oidc/logout": { + "post": { + "tags": [ + "security" + ], + "summary": "Logout of OpenID Connect", + "description": "Invalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.\n\nIf the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "operationId": "security-oidc-logout", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access_token": { + "description": "The access token to be invalidated.", + "type": "string" + }, + "refresh_token": { + "description": "The refresh token to be invalidated.", + "type": "string" + } + }, + "required": [ + "access_token" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "redirect": { + "description": "A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters.", + "type": "string" + } + }, + "required": [ + "redirect" + ] + } + } + } + } + } + } + }, + "/_security/oidc/prepare": { + "post": { + "tags": [ + "security" + ], + "summary": "Prepare OpenID connect authentication", + "description": "Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "operationId": "security-oidc-prepare-authentication", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "iss": { + "description": "In the case of a third party initiated single sign on, this is the issuer identifier for the OP that the RP is to send the authentication request to.\nIt cannot be specified when *realm* is specified.\nOne of *realm* or *iss* is required.", + "type": "string" + }, + "login_hint": { + "description": "In the case of a third party initiated single sign on, it is a string value that is included in the authentication request as the *login_hint* parameter.\nThis parameter is not valid when *realm* is specified.", + "type": "string" + }, + "nonce": { + "description": "The value used to associate a client session with an ID token and to mitigate replay attacks.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "type": "string" + }, + "realm": { + "description": "The name of the OpenID Connect realm in Elasticsearch the configuration of which should be used in order to generate the authentication request.\nIt cannot be specified when *iss* is specified.\nOne of *realm* or *iss* is required.", + "type": "string" + }, + "state": { + "description": "The value used to maintain state between the authentication request and the response, typically used as a Cross-Site Request Forgery mitigation.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "type": "string" + } + } + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "nonce": { + "type": "string" + }, + "realm": { + "type": "string" + }, + "redirect": { + "description": "A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters.", + "type": "string" + }, + "state": { + "type": "string" + } + }, + "required": [ + "nonce", + "realm", + "redirect", + "state" + ] + } + } + } + } + } + } + }, "/_security/_query/api_key": { "get": { "tags": [ diff --git a/output/schema/schema.json b/output/schema/schema.json index de7a4785df..1151f7e54d 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -17024,15 +17024,22 @@ "visibility": "public" } }, - "description": "Exchanges an OpenID Connection authentication response message for an Elasticsearch access token and refresh token pair", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-authenticate.html", + "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "docId": "security-api-oidc-authenticate", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-authenticate.html", "name": "security.oidc_authenticate", - "request": null, + "request": { + "name": "Request", + "namespace": "security.oidc_authenticate" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.oidc_authenticate" + }, "responseMediaType": [ "application/json" ], @@ -17052,15 +17059,22 @@ "visibility": "public" } }, - "description": "Invalidates a refresh token and access token that was generated from the OpenID Connect Authenticate API", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-logout.html", + "description": "Logout of OpenID Connect.\nInvalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.\n\nIf the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "docId": "security-api-oidc-logout", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-logout.html", "name": "security.oidc_logout", - "request": null, + "request": { + "name": "Request", + "namespace": "security.oidc_logout" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.oidc_logout" + }, "responseMediaType": [ "application/json" ], @@ -17080,15 +17094,22 @@ "visibility": "public" } }, - "description": "Creates an OAuth 2.0 authentication request as a URL string", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-oidc-prepare-authentication.html", + "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "docId": "security-api-oidc-prepare", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-prepare-authentication.html", "name": "security.oidc_prepare_authentication", - "request": null, + "request": { + "name": "Request", + "namespace": "security.oidc_prepare_authentication" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.oidc_prepare_authentication" + }, "responseMediaType": [ "application/json" ], @@ -197618,6 +197639,357 @@ }, "specLocation": "security/invalidate_token/SecurityInvalidateTokenResponse.ts#L23-L30" }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "Associate a client session with an ID token and mitigate replay attacks.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "name": "nonce", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The name of the OpenID Connect realm.\nThis property is useful in cases where multiple realms are defined.", + "name": "realm", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request after a successful authentication.\nThis URL must be provided as-is (URL encoded), taken from the body of the response or as the value of a location header in the response from the OpenID Connect Provider.", + "name": "redirect_uri", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "Maintain state between the authentication request and the response.\nThis value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call.", + "name": "state", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "description": "Authenticate OpenID Connect.\nExchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.oidc_authenticate" + }, + "path": [], + "query": [], + "specLocation": "security/oidc_authenticate/Request.ts#L22-L54" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "description": "The Elasticsearch access token.", + "name": "access_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The duration (in seconds) of the tokens.", + "name": "expires_in", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "integer", + "namespace": "_types" + } + } + }, + { + "description": "The Elasticsearch refresh token.", + "name": "refresh_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The type of token.", + "name": "type", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.oidc_authenticate" + }, + "specLocation": "security/oidc_authenticate/Response.ts#L22-L41" + }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "The access token to be invalidated.", + "name": "access_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The refresh token to be invalidated.", + "name": "refresh_token", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "description": "Logout of OpenID Connect.\nInvalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.\n\nIf the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.oidc_logout" + }, + "path": [], + "query": [], + "specLocation": "security/oidc_logout/Request.ts#L22-L45" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "description": "A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters.", + "name": "redirect", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.oidc_logout" + }, + "specLocation": "security/oidc_logout/Response.ts#L20-L27" + }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "In the case of a third party initiated single sign on, this is the issuer identifier for the OP that the RP is to send the authentication request to.\nIt cannot be specified when *realm* is specified.\nOne of *realm* or *iss* is required.", + "name": "iss", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "In the case of a third party initiated single sign on, it is a string value that is included in the authentication request as the *login_hint* parameter.\nThis parameter is not valid when *realm* is specified.", + "name": "login_hint", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The value used to associate a client session with an ID token and to mitigate replay attacks.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "name": "nonce", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The name of the OpenID Connect realm in Elasticsearch the configuration of which should be used in order to generate the authentication request.\nIt cannot be specified when *iss* is specified.\nOne of *realm* or *iss* is required.", + "name": "realm", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The value used to maintain state between the authentication request and the response, typically used as a Cross-Site Request Forgery mitigation.\nIf the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response.", + "name": "state", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "description": "Prepare OpenID connect authentication.\nCreate an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch.\n\nThe response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.\n\nElasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.\nThese APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.oidc_prepare_authentication" + }, + "path": [], + "query": [], + "specLocation": "security/oidc_prepare_authentication/Request.ts#L22-L64" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "name": "nonce", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "realm", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters.", + "name": "redirect", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "state", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.oidc_prepare_authentication" + }, + "specLocation": "security/oidc_prepare_authentication/Response.ts#L20-L30" + }, { "kind": "interface", "name": { diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index ac8a210930..2c1f825eb1 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -969,24 +969,6 @@ ], "response": [] }, - "security.oidc_authenticate": { - "request": [ - "Missing request & response" - ], - "response": [] - }, - "security.oidc_logout": { - "request": [ - "Missing request & response" - ], - "response": [] - }, - "security.oidc_prepare_authentication": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.update_settings": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index f13920457d..a4c18c3f2f 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -18621,6 +18621,50 @@ export interface SecurityInvalidateTokenResponse { previously_invalidated_tokens: long } +export interface SecurityOidcAuthenticateRequest extends RequestBase { + body?: { + nonce: string + realm?: string + redirect_uri: string + state: string + } +} + +export interface SecurityOidcAuthenticateResponse { + access_token: string + expires_in: integer + refresh_token: string + type: string +} + +export interface SecurityOidcLogoutRequest extends RequestBase { + body?: { + access_token: string + refresh_token?: string + } +} + +export interface SecurityOidcLogoutResponse { + redirect: string +} + +export interface SecurityOidcPrepareAuthenticationRequest extends RequestBase { + body?: { + iss?: string + login_hint?: string + nonce?: string + realm?: string + state?: string + } +} + +export interface SecurityOidcPrepareAuthenticationResponse { + nonce: string + realm: string + redirect: string + state: string +} + export interface SecurityPutPrivilegesActions { actions: string[] application?: string diff --git a/specification/_doc_ids/table.csv b/specification/_doc_ids/table.csv index f6a72b8fd7..3b057b40f6 100644 --- a/specification/_doc_ids/table.csv +++ b/specification/_doc_ids/table.csv @@ -591,6 +591,9 @@ security-api-invalidate-api-key,https://www.elastic.co/guide/en/elasticsearch/re security-api-invalidate-token,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-invalidate-token.html security-api-kibana-enrollment,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-kibana-enrollment.html security-api-node-enrollment,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-node-enrollment.html +security-api-oidc-authenticate,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-authenticate.html +security-api-oidc-logout,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-logout.html +security-api-oidc-prepare,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-oidc-prepare-authentication.html security-api-put-privileges,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-put-privileges.html security-api-put-role-mapping,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-put-role-mapping.html security-api-put-role,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-put-role.html diff --git a/specification/security/oidc_authenticate/Request.ts b/specification/security/oidc_authenticate/Request.ts new file mode 100644 index 0000000000..ca422e2402 --- /dev/null +++ b/specification/security/oidc_authenticate/Request.ts @@ -0,0 +1,54 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Authenticate OpenID Connect. + * Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. + * + * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. + * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * @rest_spec_name security.oidc_authenticate + * @availability stack stability=stable visibility=public + * @doc_id security-api-oidc-authenticate + */ +export interface Request extends RequestBase { + body: { + /** + * Associate a client session with an ID token and mitigate replay attacks. + * This value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call. + */ + nonce: string + /** + * The name of the OpenID Connect realm. + * This property is useful in cases where multiple realms are defined. */ + realm?: string + /** + * The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request after a successful authentication. + * This URL must be provided as-is (URL encoded), taken from the body of the response or as the value of a location header in the response from the OpenID Connect Provider. + */ + redirect_uri: string + /** + * Maintain state between the authentication request and the response. + * This value needs to be the same as the one that was provided to the `/_security/oidc/prepare` API or the one that was generated by Elasticsearch and included in the response to that call. + */ + state: string + } +} diff --git a/specification/security/oidc_authenticate/Response.ts b/specification/security/oidc_authenticate/Response.ts new file mode 100644 index 0000000000..3a5988bdbd --- /dev/null +++ b/specification/security/oidc_authenticate/Response.ts @@ -0,0 +1,41 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { integer } from '@_types/Numeric' + +export class Response { + body: { + /** + * The Elasticsearch access token. + */ + access_token: string + /** + * The duration (in seconds) of the tokens. + */ + expires_in: integer + /** + * The Elasticsearch refresh token. + */ + refresh_token: string + /** + * The type of token. + */ + type: string + } +} diff --git a/specification/security/oidc_logout/Request.ts b/specification/security/oidc_logout/Request.ts new file mode 100644 index 0000000000..5a4dd3bd4a --- /dev/null +++ b/specification/security/oidc_logout/Request.ts @@ -0,0 +1,45 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Logout of OpenID Connect. + * Invalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API. + * + * If the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout. + * + * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. + * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * @rest_spec_name security.oidc_logout + * @availability stack stability=stable visibility=public + * @doc_id security-api-oidc-logout + */ +export interface Request extends RequestBase { + body: { + /** + * The access token to be invalidated. + */ + access_token: string + /** + * The refresh token to be invalidated. + */ + refresh_token?: string + } +} diff --git a/specification/security/oidc_logout/Response.ts b/specification/security/oidc_logout/Response.ts new file mode 100644 index 0000000000..e28c4d38c5 --- /dev/null +++ b/specification/security/oidc_logout/Response.ts @@ -0,0 +1,27 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +export class Response { + body: { + /** + * A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters. + */ + redirect: string + } +} diff --git a/specification/security/oidc_prepare_authentication/Request.ts b/specification/security/oidc_prepare_authentication/Request.ts new file mode 100644 index 0000000000..354dc6afb5 --- /dev/null +++ b/specification/security/oidc_prepare_authentication/Request.ts @@ -0,0 +1,64 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Prepare OpenID connect authentication. + * Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch. + * + * The response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process. + * + * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. + * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. + * @rest_spec_name security.oidc_prepare_authentication + * @availability stack stability=stable visibility=public + * @doc_id security-api-oidc-prepare + */ +export interface Request extends RequestBase { + body: { + /** + * In the case of a third party initiated single sign on, this is the issuer identifier for the OP that the RP is to send the authentication request to. + * It cannot be specified when *realm* is specified. + * One of *realm* or *iss* is required. + */ + iss?: string + /** + * In the case of a third party initiated single sign on, it is a string value that is included in the authentication request as the *login_hint* parameter. + * This parameter is not valid when *realm* is specified. + */ + login_hint?: string + /** + * The value used to associate a client session with an ID token and to mitigate replay attacks. + * If the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response. + */ + nonce?: string + /** + * The name of the OpenID Connect realm in Elasticsearch the configuration of which should be used in order to generate the authentication request. + * It cannot be specified when *iss* is specified. + * One of *realm* or *iss* is required. + */ + realm?: string + /** + * The value used to maintain state between the authentication request and the response, typically used as a Cross-Site Request Forgery mitigation. + * If the caller of the API does not provide a value, Elasticsearch will generate one with sufficient entropy and return it in the response. + */ + state?: string + } +} diff --git a/specification/security/oidc_prepare_authentication/Response.ts b/specification/security/oidc_prepare_authentication/Response.ts new file mode 100644 index 0000000000..0300f62ced --- /dev/null +++ b/specification/security/oidc_prepare_authentication/Response.ts @@ -0,0 +1,30 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +export class Response { + body: { + nonce: string + realm: string + /** + * A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters. + */ + redirect: string + state: string + } +}