[WorkplaceAI] Add authz code-grant flow in Stack Connectors V2

.gitignore

@@ -175,8 +175,6 @@ oas_docs/output/kibana.serverless.tmp*.yaml
 oas_docs/output/kibana.tmp*.yaml
 oas_docs/output/kibana.new.yaml
 oas_docs/output/kibana.serverless.new.yaml
-oas_docs/bundle.json
-oas_docs/bundle.serverless.json
 
 .codeql
 .dependency-graph-log.json

oas_docs/bundle.json

@@ -382,6 +382,74 @@
   },
   "openapi": "3.0.0",
   "paths": {
+    "/api/actions/connector/_oauth_callback": {
+      "get": {
+        "description": "Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.",
+        "operationId": "get-actions-connector-oauth-callback",
+        "parameters": [
+          {
+            "description": "The authorization code returned by the OAuth provider.",
+            "in": "query",
+            "name": "code",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "The state parameter for CSRF protection.",
+            "in": "query",
+            "name": "state",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "Error code if the authorization failed.",
+            "in": "query",
+            "name": "error",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "Human-readable error description.",
+            "in": "query",
+            "name": "error_description",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "Session state from the OAuth provider (e.g., Microsoft).",
+            "in": "query",
+            "name": "session_state",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Returns an HTML page with error details if authorization fails."
+          },
+          "302": {
+            "description": "Redirects to Kibana on successful authorization."
+          },
+          "401": {
+            "description": "User is not authenticated."
+          }
+        },
+        "summary": "Handle OAuth callback",
+        "tags": [
+          "connectors"
+        ]
+      }
+    },
     "/api/actions/connector/{id}": {
       "delete": {
         "description": "WARNING: When you delete a connector, it cannot be recovered.",

oas_docs/bundle.serverless.json

@@ -382,6 +382,74 @@
   },
   "openapi": "3.0.0",
   "paths": {
+    "/api/actions/connector/_oauth_callback": {
+      "get": {
+        "description": "Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.",
+        "operationId": "get-actions-connector-oauth-callback",
+        "parameters": [
+          {
+            "description": "The authorization code returned by the OAuth provider.",
+            "in": "query",
+            "name": "code",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "The state parameter for CSRF protection.",
+            "in": "query",
+            "name": "state",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "Error code if the authorization failed.",
+            "in": "query",
+            "name": "error",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "Human-readable error description.",
+            "in": "query",
+            "name": "error_description",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "description": "Session state from the OAuth provider (e.g., Microsoft).",
+            "in": "query",
+            "name": "session_state",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Returns an HTML page with error details if authorization fails."
+          },
+          "302": {
+            "description": "Redirects to Kibana on successful authorization."
+          },
+          "401": {
+            "description": "User is not authenticated."
+          }
+        },
+        "summary": "Handle OAuth callback",
+        "tags": [
+          "connectors"
+        ]
+      }
+    },
     "/api/actions/connector/{id}": {
       "delete": {
         "description": "WARNING: When you delete a connector, it cannot be recovered.",

oas_docs/output/kibana.serverless.yaml

@@ -410,6 +410,61 @@ paths:
       x-metaTags:
         - content: Kibana, Elastic Cloud Serverless
           name: product_name
+  /api/actions/connector/_oauth_callback:
+    get:
+      description: |-
+        **Spaces method and path for this operation:**
+
+        <div><span class="operation-verb get">get</span>&nbsp;<span class="operation-path">/s/{space_id}/api/actions/connector/_oauth_callback</span></div>
+
+        Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
+
+        Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.
+      operationId: get-actions-connector-oauth-callback
+      parameters:
+        - description: The authorization code returned by the OAuth provider.
+          in: query
+          name: code
+          required: false
+          schema:
+            type: string
+        - description: The state parameter for CSRF protection.
+          in: query
+          name: state
+          required: false
+          schema:
+            type: string
+        - description: Error code if the authorization failed.
+          in: query
+          name: error
+          required: false
+          schema:
+            type: string
+        - description: Human-readable error description.
+          in: query
+          name: error_description
+          required: false
+          schema:
+            type: string
+        - description: Session state from the OAuth provider (e.g., Microsoft).
+          in: query
+          name: session_state
+          required: false
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Returns an HTML page with error details if authorization fails.
+        '302':
+          description: Redirects to Kibana on successful authorization.
+        '401':
+          description: User is not authenticated.
+      summary: Handle OAuth callback
+      tags:
+        - connectors
+      x-metaTags:
+        - content: Kibana, Elastic Cloud Serverless
+          name: product_name
   /api/actions/connector/{id}:
     delete:
       description: |-

oas_docs/output/kibana.yaml

@@ -481,6 +481,61 @@ paths:
       x-metaTags:
         - content: Kibana
           name: product_name
+  /api/actions/connector/_oauth_callback:
+    get:
+      description: |-
+        **Spaces method and path for this operation:**
+
+        <div><span class="operation-verb get">get</span>&nbsp;<span class="operation-path">/s/{space_id}/api/actions/connector/_oauth_callback</span></div>
+
+        Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
+
+        Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.
+      operationId: get-actions-connector-oauth-callback
+      parameters:
+        - description: The authorization code returned by the OAuth provider.
+          in: query
+          name: code
+          required: false
+          schema:
+            type: string
+        - description: The state parameter for CSRF protection.
+          in: query
+          name: state
+          required: false
+          schema:
+            type: string
+        - description: Error code if the authorization failed.
+          in: query
+          name: error
+          required: false
+          schema:
+            type: string
+        - description: Human-readable error description.
+          in: query
+          name: error_description
+          required: false
+          schema:
+            type: string
+        - description: Session state from the OAuth provider (e.g., Microsoft).
+          in: query
+          name: session_state
+          required: false
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Returns an HTML page with error details if authorization fails.
+        '302':
+          description: Redirects to Kibana on successful authorization.
+        '401':
+          description: User is not authenticated.
+      summary: Handle OAuth callback
+      tags:
+        - connectors
+      x-metaTags:
+        - content: Kibana
+          name: product_name
   /api/actions/connector/{id}:
     delete:
       description: |-

packages/kbn-check-saved-objects-cli/current_fields.json

@@ -951,6 +951,11 @@
   "monitoring-telemetry": [
     "reportedClusterUuids"
   ],
+  "oauth_state": [
+    "connectorId",
+    "expiresAt",
+    "state"
+  ],
   "observability-onboarding-state": [
     "progress",
     "state",

packages/kbn-check-saved-objects-cli/current_mappings.json

@@ -3127,6 +3127,20 @@
       }
     }
   },
+  "oauth_state": {
+    "dynamic": false,
+    "properties": {
+      "connectorId": {
+        "type": "keyword"
+      },
+      "expiresAt": {
+        "type": "date"
+      },
+      "state": {
+        "type": "keyword"
+      }
+    }
+  },
   "observability-onboarding-state": {
     "properties": {
       "progress": {

packages/kbn-check-saved-objects-cli/src/migrations/__fixtures__/connector_token/10.2.0.json

@@ -0,0 +1,22 @@
+{
+  "10.1.0": [
+    {
+      "connectorId": "abc123-def456-connector-id",
+      "tokenType": "access_token",
+      "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QgVXNlciIsImlhdCI6MTUxNjIzOTAyMn0.test_signature",
+      "expiresAt": "2025-01-15T14:30:00.000Z",
+      "createdAt": "2025-01-15T13:00:00.000Z",
+      "updatedAt": "2025-01-15T13:00:00.000Z"
+    }
+  ],
+  "10.2.0": [
+    {
+      "connectorId": "abc123-def456-connector-id",
+      "tokenType": "access_token",
+      "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QgVXNlciIsImlhdCI6MTUxNjIzOTAyMn0.test_signature",
+      "expiresAt": "2025-01-15T14:30:00.000Z",
+      "createdAt": "2025-01-15T13:00:00.000Z",
+      "updatedAt": "2025-01-15T13:00:00.000Z"
+    }
+  ]
+}

src/core/packages/saved-objects/server-internal/src/object_types/index.ts

@@ -11,4 +11,4 @@ export { registerCoreObjectTypes } from './registration';
 
 // set minimum number of registered saved objects to ensure no object types are removed after 8.8
 // declared in internal implementation explicitly to prevent unintended changes.
-export const SAVED_OBJECT_TYPES_COUNT = 145 as const;
+export const SAVED_OBJECT_TYPES_COUNT = 146 as const;