[WorkplaceAI] Add authz code-grant flow in Stack Connectors V2#246655
Merged
lorenabalan merged 55 commits intoconnectors-auth-code-grantfrom Feb 4, 2026
Merged
[WorkplaceAI] Add authz code-grant flow in Stack Connectors V2#246655lorenabalan merged 55 commits intoconnectors-auth-code-grantfrom
lorenabalan merged 55 commits intoconnectors-auth-code-grantfrom
Conversation
Replace console logging with loggers, add types Clarify how the auth impl works Correctly secure the callback endpoint Style success and failure pages Separate out concerns from the authorize route linting
lorenabalan
changed the title
…se that as callback instead of kibana (if present)
lorenabalan
force-pushed
the
seanstory/oauth2-auth-code-flow
branch
from
0d8aeae to
f8d37b4
Compare
Contributor
|
Additional changes:
Tested with Sharepoint & Notion connectors, both seem to work well! ✨ 📣 Opening this to feedback and first round of reviews, while I chip away at unit tests and docs. ❓ Open question: Is there a mechanism or plan for a mechanism for embedding certain config values into other values? For example, for Sharepoint, it would be nice to only expose a 
|
Member
Author
I think a static error page might be a good first approach. Hopefully able to safely escape and display information about what may have gone wrong. |
seanstory
commented
Jan 2, 2026
Member
Author
seanstory
left a comment
seanstory
left a comment
There was a problem hiding this comment.
I'm only half done with my review (17 files to go), but my eyes are glazing over. Will tackle the rest next week.
Sorry that a lot of my comments are on my own AI slop :whistle-innocent:
| .string() | ||
| .min(1, { message: i18n.OAUTH_CLIENT_SECRET_REQUIRED_MESSAGE }) | ||
| .meta({ label: i18n.OAUTH_CLIENT_SECRET_LABEL, sensitive: true }), | ||
| // when using z.url() it doesn't allow for empty urls even if it's an optional field |
Member
Author
There was a problem hiding this comment.
worth filing a bug for that?
src/platform/packages/shared/kbn-connector-specs/src/specs/notion/notion.ts
Show resolved
Hide resolved
...latform/packages/shared/kbn-connector-specs/src/specs/sharepoint_online/sharepoint_online.ts
Outdated
Show resolved
Hide resolved
x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts
Outdated
Show resolved
Hide resolved
x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts
Outdated
Show resolved
Hide resolved
Comment on lines
+347
to
+348
| const normalizedTokenType = startCase(tokenResult.tokenType); | ||
| const formattedToken = `${normalizedTokenType} ${tokenResult.accessToken}`; |
Member
Author
There was a problem hiding this comment.
Why are we adding Bearer to what we store? Shouldn't we just store the raw token, and let the client figure out how to shove the credential into the right header?
Contributor
There was a problem hiding this comment.
Hmm yeah I agree it feels a bit awkward that we can't access the raw token after this. However, oauth client credentials also do this, and so does oauth jwt, so this would be a bigger refactor that maybe would be safer in a separate PR / with ResponseOps' blessing.
Member
Author
There was a problem hiding this comment.
ack - will defer to ResponseOps.
x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts
Outdated
Show resolved
Hide resolved
x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts
Outdated
Show resolved
Hide resolved
seanstory
commented
Jan 6, 2026
x-pack/platform/plugins/shared/actions/server/saved_objects/schemas/raw_connector_token/v2.ts
Outdated
Show resolved
Hide resolved
...ns/shared/triggers_actions_ui/public/application/lib/action_connector_api/oauth_authorize.ts
Outdated
Show resolved
Hide resolved
lorenabalan
changed the base branch from
seanstory/add-sharepoint-fetcher
to
main
szwarckonrad
approved these changes
Feb 4, 2026
Contributor
szwarckonrad
left a comment
szwarckonrad
left a comment
There was a problem hiding this comment.
DW (EDR Workflows) changes in 3 files LGTM!
botelastic
bot
added
the
Team:Fleet
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
…kibana into seanstory/oauth2-auth-code-flow
lorenabalan
force-pushed
the
seanstory/oauth2-auth-code-flow
branch
from
0c91f17 to
ceb3413
Compare
lorenabalan
force-pushed
the
seanstory/oauth2-auth-code-flow
branch
from
ceb3413 to
f79a2b3
Compare
lorenabalan
merged commit d5913de
into
connectors-auth-code-grant
11 of 13 checks passed
Contributor
💔 Build Failed
Failed CI Steps
Test Failures
Metrics [docs]Module Count
Async chunks
History
cc @lorenabalan |
This was referenced Feb 5, 2026
jeramysoucy
reviewed
Feb 5, 2026
Contributor
There was a problem hiding this comment.
@seanstory @lorenabalan I see this PR already merged before we had a chance to review it. I have some concerns regarding the changes to encrypted objects here. I left a few comments, but I wanted to make sure you were aware of the implications described in this guide:
https://docs.elastic.dev/kibana-dev-docs/key-concepts/encrypted-saved-objects-intro
Could you have a look and assess if we need to revert this PR before the next serverless release?
Comment on lines
+174
to
+182
| attributesToIncludeInAAD: new Set([ | ||
| 'state', | ||
| 'connectorId', | ||
| 'redirectUri', | ||
| 'authorizationUrl', | ||
| 'scope', | ||
| 'createdAt', | ||
| 'expiresAt', | ||
| 'createdBy', |
Contributor
There was a problem hiding this comment.
I am sure you've probably already considered this, but just in case...
https://docs.elastic.dev/kibana-dev-docs/key-concepts/encrypted-saved-objects-intro#what-attributes-should-be-included-in-aad
- An attribute cannot be removed from AAD once it is included, unless it can be altogether removed from the object type, or refactored with a new name.
- An existing attribute cannot be added to AAD if it was not included in AAD when it was first defined and has already been populated.
Contributor
There was a problem hiding this comment.
Ah good point. I wanna say most of these we do want as AAD but will think a bit more with the team to confirm.
| encryptedSavedObjects.registerType({ | ||
| type: CONNECTOR_TOKEN_SAVED_OBJECT_TYPE, | ||
| attributesToEncrypt: new Set(['token']), | ||
| attributesToEncrypt: new Set(['token', 'refreshToken']), |
Contributor
There was a problem hiding this comment.
When adding new encrypted attributes there are some considerations we have to make regarding model versions and serverless zero downtime upgrades: https://docs.elastic.dev/kibana-dev-docs/key-concepts/encrypted-saved-objects-intro#serverless-considerations. Specifically the need to wrap the model versions with the createModelVersion wrapper.
Did you already reference this guide? If not, could you have a look?
Contributor
There was a problem hiding this comment.
Hmm I didn't see this guide (thanks for referencing!), but I did add a new model version that's captured by L134 above, under the savedObjects.registerType({...}). Is there something else I'm missing?
I'll come back to this in morning with fresh eyes.
Contributor
There was a problem hiding this comment.
Nvm I think I see what I'm missing now, will address in a follow-up PR
| export const rawConnectorTokenSchema = rawConnectorTokenSchemaV1.extends({ | ||
| expiresAt: schema.maybe(schema.string()), // turned into an optional field | ||
| refreshToken: schema.maybe(schema.string()), | ||
| refreshTokenExpiresAt: schema.maybe(schema.string()), |
Contributor
There was a problem hiding this comment.
As these attributes are already part of AAD, or are an encrypted attribute of the SO (refreshToken), are there any considerations we need to make for serverless?
lorenabalan
added a commit
that referenced
this pull request
Feb 10, 2026
… space (#251873) ## Summary **TL;DR** Closes elastic/search-team#12683 * Added `spaceId` to the state object we store while user completes authorization. * While here, also fixing some SO tests broken by #246655 Tested by creating a new space, adding a new connector there, then authorizing it and using it in a workflow. All worked well end-to-end. 👌 <img width="681" height="960" alt="Screenshot 2026-02-05 at 17 10 18" src="https://github.com/user-attachments/assets/a3b83e1f-2d59-4eb1-880b-e21d4044716d" /> <img width="2554" height="907" alt="Screenshot 2026-02-05 at 17 10 08" src="https://github.com/user-attachments/assets/31909dcb-62a4-499f-924d-3df05ecab4de" /> #### Alternatives considered 1️⃣ Initially tried doing sth like ```typescript const spaceId = spaces ? spaces.spacesService.getSpaceId(req) : 'default'; const namespace = spaces.spacesService.spaceIdToNamespace(spaceId) ``` in both callback and authorize enpoints... but realised the first line was always returning `default` in callback, due to the redirect_uri not having the space prefix. 2️⃣ Went for storing `spaceId` in the state rather than encoding the namespace in the `redirect_uri` because that would mean the OAuth apps config would have to allow all possible redirect_uris, for each namespace, which isn't ideal UX. 3️⃣ Went for storing `spaceId` rather than `namespace` directly mainly for readability. Given `namespace: undefined` is an actual valid value, would've had to bypass the `omitBy` for this one field, which I think would've been confusing when reading the code. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
lorenabalan
added a commit
that referenced
this pull request
Feb 10, 2026
…nt params (#251717) ## Summary Fixes elastic/search-team#12682 While here, also fixing some SO tests broken by #246655 The Scout and AB tests should be fixed by merging latest `main` into feature branch. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
dennis-tismenko
pushed a commit
to dennis-tismenko/kibana
that referenced
this pull request
Feb 18, 2026
…ic#246655) Closes elastic/search-team#12248 ~WIP. Don't review yet.~ This branch implements ~a _rough_, proof-of-concept,~ Authorization Code Grant Flow for the (yet unmerged) Sharepoint Online v2 connector, as well as for the merged (modified here) Notion v2 connector. The goal is to use this as a concrete example to frame discussion around, and it iterate off of.  **Initial implementation:** @seanstory: This has been entirely generated by code assistants, so thorough review will eventually be needed, _especially_ because this is an implementation of a hairy security protocol. Also, this implementation is missing a LOT of necessary bits. Some of which are: 1. cleanup of stale state with taskmanager task ✅ 2. get refresh tokens working ✅ 3. unit tests 🟡 4. check on rate limiting of these endpoints? Potential resource exhaustion ✅ 5. prompt for `tenant-id`, instead of auth URL and token URL? 6. redirect to actual page, not HTML template ✅ 1. PM feedback first 7. telemetry 8. documentation 🟡 **Additional changes:** @lorenabalan: elastic#246655 (comment) 1. New Auth Type (oauth_authorization_code.ts) - Zod schema defining OAuth configuration (authorizationUrl, tokenUrl, clientId, clientSecret, scope) - configure() method that retrieves and refreshes tokens via ctx.getToken() - Integration with existing connector auth framework 2. OAuth State Management (oauth_state_client.ts) - PKCE state/verifier generation using crypto.randomBytes - State storage in new oauth_state saved object type - 10-minute expiration with cleanup capability - Encrypted storage of code_verifier 3. Token Management (extended connector_token_client.ts) - New methods: createWithRefreshToken(), updateWithRefreshToken(), getRefreshToken() - Encrypted storage of access_token and refresh_token - Tracks expiration for both tokens 4. HTTP Routes - POST /api/actions/connector/{id}/_oauth_authorize - Initiates OAuth flow, returns authorization URL - GET /api/actions/connector/_oauth_callback - Handles OAuth callback, exchanges code for tokens 5. Token Retrieval (get_oauth_authorization_code_access_token.ts) - Fetches stored access token - Auto-refreshes expired tokens using refresh token - Returns null if authorization needed 6. OAuth Token Requests - request_oauth_authorization_code_token.ts - Exchanges authorization code for tokens - request_oauth_refresh_token.ts - Refreshes access token 7. Integration Points - Updated ActionsClient.getOAuthAccessToken() to support "authorization_code" type - Modified getAxiosInstanceWithAuth() to call getOAuthAuthorizationCodeAccessToken() - Added 401 interceptor with user-friendly error messages 8. UI Components - useOAuthAuthorize hook - Calls authorize endpoint and opens popup - Updated connector flyout footer with "Authorize" button for OAuth connectors - checkOAuthAuthCode() helper to detect OAuth auth type 9. SharePoint Online Connector - Changed from undefined auth to oauth_authorization_code - Defaults for Microsoft OAuth endpoints (with {tenant-id} placeholder) - Scope: https://graph.microsoft.com/.default offline_access Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
dennis-tismenko
pushed a commit
to dennis-tismenko/kibana
that referenced
this pull request
Feb 18, 2026
… space (elastic#251873) ## Summary **TL;DR** Closes elastic/search-team#12683 * Added `spaceId` to the state object we store while user completes authorization. * While here, also fixing some SO tests broken by elastic#246655 Tested by creating a new space, adding a new connector there, then authorizing it and using it in a workflow. All worked well end-to-end. 👌 <img width="681" height="960" alt="Screenshot 2026-02-05 at 17 10 18" src="https://github.com/user-attachments/assets/a3b83e1f-2d59-4eb1-880b-e21d4044716d" /> <img width="2554" height="907" alt="Screenshot 2026-02-05 at 17 10 08" src="https://github.com/user-attachments/assets/31909dcb-62a4-499f-924d-3df05ecab4de" /> #### Alternatives considered 1️⃣ Initially tried doing sth like ```typescript const spaceId = spaces ? spaces.spacesService.getSpaceId(req) : 'default'; const namespace = spaces.spacesService.spaceIdToNamespace(spaceId) ``` in both callback and authorize enpoints... but realised the first line was always returning `default` in callback, due to the redirect_uri not having the space prefix. 2️⃣ Went for storing `spaceId` in the state rather than encoding the namespace in the `redirect_uri` because that would mean the OAuth apps config would have to allow all possible redirect_uris, for each namespace, which isn't ideal UX. 3️⃣ Went for storing `spaceId` rather than `namespace` directly mainly for readability. Given `namespace: undefined` is an actual valid value, would've had to bypass the `omitBy` for this one field, which I think would've been confusing when reading the code. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
dennis-tismenko
pushed a commit
to dennis-tismenko/kibana
that referenced
this pull request
Feb 18, 2026
…nt params (elastic#251717) ## Summary Fixes elastic/search-team#12682 While here, also fixing some SO tests broken by elastic#246655 The Scout and AB tests should be fixed by merging latest `main` into feature branch. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
lorenabalan
added a commit
that referenced
this pull request
Feb 26, 2026
…dations (#252104) ## Summary Addressing #246655 (review) & #251873 (comment) Changes: * Reduced the AAD footprint of the `oauth_state` SO (this SO was first introduced in the feature branch, so we don't need to issue a migration for it, we can just iterate directly) * Used `createModelVersion` wrapper (as per [docs](https://docs.elastic.dev/kibana-dev-docs/key-concepts/encrypted-saved-objects-intro#migrations-backward-compatibility-and-serverless)) for `connector_token` SO. In the feature branch we had enhanced the object by adding `refreshTokenExpiresAt` as a new AAD and `refreshToken` as a new encrypted field. `expiresAt` was also turned into an optional field. ## Testing Tests run by default with the `oauth_authorization_code` feature flag disabled. In order to check the tests with it enabled you need to modify `x-pack/platform/plugins/shared/encrypted_saved_objects/integration_tests/ci_checks/check_registered_types.test.ts` : * bump `ESO_TYPES_COUNT` to 21 (the extra models registered are `oauth_state` and `user_connector_token`) * then update `beforeAll()` to contain ```typescript root = createRootWithCorePlugins( { xpack: { actions: { auth: { oauth_authorization_code: { enabled: true } } } } }, { oss: false } ); ``` Run *both* ``` node scripts/jest_integration x-pack/platform/plugins/shared/encrypted_saved_objects/integration_tests/ci_checks/check_registered_types.test.ts -u ``` and ``` node scripts/jest_integration src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts -u ``` You should see updates to `toMatchInlineSnapshot` in the tests like ``` -"connector_token": "16ca2154c13c5ee3d3a45b55d4ea6cd33aeaceaef3dc229b002d25470bfc9b3b", + "connector_token": "e446f5ff0fbf516f63398e474f126332b4c31e316daa613c6cb8c863400110c5", ... + "oauth_state": "b01289e5c133db9d4d802a2b838e43cce4a8399566dedb21de551da57c88894a", ... + "user_connector_token": "b443b022b46b79c0ff9fa674aecc64176a5fcbd09c2db2d9f050a6a88435732e", ```⚠️ ⚠️ ⚠️ When we enable the feature by default, we'll probably also have to update this [test file](https://github.com/gsoldevila/kibana/blob/de9e6a5089482213c2e97b98c214bbc011cb817c/packages/kbn-check-saved-objects-cli/src/commands/types.ts#L46-L60) (uncomment) ## Misc **Old question** What's not entirely clear to me is release strategy for the [connectors-auth-code-grant](https://github.com/elastic/kibana/tree/connectors-auth-code-grant) feature branch, given https://docs.elastic.dev/kibana-dev-docs/key-concepts/encrypted-saved-objects-intro#serverless-considerations > This will require 2 Serverless release stages. Release 1: Add the attribute to the ESO's attributesToIncludeInAAD. Do not yet populate or use the new attribute. Release 2: Implement a Model Version and wrap it in a call to createModelVersion, providing the former EncryptedSavedObjectTypeRegistration as the input type, and the new EncryptedSavedObjectTypeRegistration as the output type. Implement a Model Version backfill change as needed. The attribute can safely be populated in this release. Do we need to first merge a small PR to `main` that adds the `refreshTokenExpiresAt` field to the `connector_token` SO, then wait a day and merge the rest of the feature branch? **Answer**: #252735 (review) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
jcger
added a commit
that referenced
this pull request
Mar 18, 2026
## Description
Currently, all Kibana connectors use a shared service account for
authentication. This approach lacks per user level access support, as it
does not distinguish between individual users and service account user
levels of permission. To support more secure, flexible, and user-aware
integrations, we need to introduce per-user authentication for
connectors in Kibana, alongside the existing service account method.
## 2-step release
As there are changes that require a 2-step release, this PR won't add
`oauth_authorization_code` auth type to any connector type. Therefore,
it won't be usable for now. The changes that require a 2-step release
are:
- we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO
- we are adding `refreshToken` as an encrypted attribute for
`connector_token` SO
## Config to run this locally
```
uiSettings:
overrides:
'workflows:ui:enabled': true
server.publicBaseUrl: 'http://localhost:5601'
```
Also, the auth type needs to be used in a connector. Reach out privately
to get the necessary info.
## Involved PRs:
- #246655
- #251873
- #251717
- #252566
- #252104
- #252307
- #252262
- #252501
- #253606
- #254589
- #254916
- Rename rate limit kbn setting 15d2c19
- Fix refresh token 34708e5
---------
Co-authored-by: Sean Story <sean.story@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 18, 2026
## Description
Currently, all Kibana connectors use a shared service account for
authentication. This approach lacks per user level access support, as it
does not distinguish between individual users and service account user
levels of permission. To support more secure, flexible, and user-aware
integrations, we need to introduce per-user authentication for
connectors in Kibana, alongside the existing service account method.
## 2-step release
As there are changes that require a 2-step release, this PR won't add
`oauth_authorization_code` auth type to any connector type. Therefore,
it won't be usable for now. The changes that require a 2-step release
are:
- we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO
- we are adding `refreshToken` as an encrypted attribute for
`connector_token` SO
## Config to run this locally
```
uiSettings:
overrides:
'workflows:ui:enabled': true
server.publicBaseUrl: 'http://localhost:5601'
```
Also, the auth type needs to be used in a connector. Reach out privately
to get the necessary info.
## Involved PRs:
- elastic#246655
- elastic#251873
- elastic#251717
- elastic#252566
- elastic#252104
- elastic#252307
- elastic#252262
- elastic#252501
- elastic#253606
- elastic#254589
- elastic#254916
- Rename rate limit kbn setting 15d2c19
- Fix refresh token 34708e5
---------
Co-authored-by: Sean Story <sean.story@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
## Description
Currently, all Kibana connectors use a shared service account for
authentication. This approach lacks per user level access support, as it
does not distinguish between individual users and service account user
levels of permission. To support more secure, flexible, and user-aware
integrations, we need to introduce per-user authentication for
connectors in Kibana, alongside the existing service account method.
## 2-step release
As there are changes that require a 2-step release, this PR won't add
`oauth_authorization_code` auth type to any connector type. Therefore,
it won't be usable for now. The changes that require a 2-step release
are:
- we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO
- we are adding `refreshToken` as an encrypted attribute for
`connector_token` SO
## Config to run this locally
```
uiSettings:
overrides:
'workflows:ui:enabled': true
server.publicBaseUrl: 'http://localhost:5601'
```
Also, the auth type needs to be used in a connector. Reach out privately
to get the necessary info.
## Involved PRs:
- elastic#246655
- elastic#251873
- elastic#251717
- elastic#252566
- elastic#252104
- elastic#252307
- elastic#252262
- elastic#252501
- elastic#253606
- elastic#254589
- elastic#254916
- Rename rate limit kbn setting 15d2c19
- Fix refresh token 34708e5
---------
Co-authored-by: Sean Story <sean.story@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes https://github.com/elastic/search-team/issues/12248
WIP. Don't review yet.This branch implements
a rough, proof-of-concept,Authorization Code Grant Flow for the (yet unmerged) Sharepoint Online v2 connector, as well as for the merged (modified here) Notion v2 connector.The goal is to use this as a concrete example to frame discussion around, and it iterate off of.
Initial implementation:
@seanstory: This has been entirely generated by code assistants, so thorough review will eventually be needed, especially because this is an implementation of a hairy security protocol.
Also, this implementation is missing a LOT of necessary bits. Some of which are:
tenant-id, instead of auth URL and token URL?Additional changes:
@lorenabalan: #246655 (comment)
What's in the box?
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.