[WorkplaceAI][PerUserAuth] Implement Encrypted Saved Objects recommendations#252104
Merged
lorenabalan merged 20 commits intoconnectors-auth-code-grantfrom Feb 26, 2026
Merged
[WorkplaceAI][PerUserAuth] Implement Encrypted Saved Objects recommendations#252104lorenabalan merged 20 commits intoconnectors-auth-code-grantfrom
lorenabalan merged 20 commits intoconnectors-auth-code-grantfrom
Conversation
This was referenced Feb 6, 2026
lorenabalan
commented
Feb 10, 2026
| // redirectUri: { | ||
| // type: 'keyword', | ||
| // }, | ||
| // authorizationUrl: { |
Contributor
Author
There was a problem hiding this comment.
This field doesn't actually look like it exists anymore looking at the schema, must've been a leftover from a refactoring.
lorenabalan
force-pushed
the
lb/fix-eso
branch
from
649828b to
4f90ecb
Compare
lorenabalan
commented
Feb 10, 2026
x-pack/platform/plugins/shared/actions/server/saved_objects/index.ts
Outdated
Show resolved
Hide resolved
jeramysoucy
reviewed
Feb 11, 2026
...plugins/shared/actions/server/saved_objects/model_versions/connector_token_model_versions.ts
Show resolved
Hide resolved
10 tasks
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
jcger
reviewed
Feb 18, 2026
...plugins/shared/actions/server/saved_objects/model_versions/connector_token_model_versions.ts
Show resolved
Hide resolved
jcger
approved these changes
Feb 20, 2026
jcger
force-pushed
the
connectors-auth-code-grant
branch
from
20719b9 to
e7e0dd0
Compare
jeramysoucy
added a commit
that referenced
this pull request
Feb 25, 2026
## Summary Closes elastic/kibana-team#2867 The `Check Saved Objects` CI check performs automated upgrade and rollback testing for any updated SO types. None of the Encrypted Saved Objects had been updated since the check was put in place, up until recently. To add support for ESOs, the `KibanaMigratorTestKit` must accept an _encryptedSavedObjects_ service, so that the underlying SOR can be built with the encryption extension. This PR adds a workaround to support encryption / decryption in the `KibanaMigratorTestKit`, unblocking #252104. Made with [Cursor](https://cursor.com) --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
…tion_tests/ci_checks
lorenabalan
merged commit e3bb9cd
into
connectors-auth-code-grant
11 of 13 checks passed
Contributor
💔 Build Failed
Failed CI Steps
Test Failures
Metrics [docs]
History
|
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 11, 2026
…53470) ## Summary Closes elastic/kibana-team#2867 The `Check Saved Objects` CI check performs automated upgrade and rollback testing for any updated SO types. None of the Encrypted Saved Objects had been updated since the check was put in place, up until recently. To add support for ESOs, the `KibanaMigratorTestKit` must accept an _encryptedSavedObjects_ service, so that the underlying SOR can be built with the encryption extension. This PR adds a workaround to support encryption / decryption in the `KibanaMigratorTestKit`, unblocking elastic#252104. Made with [Cursor](https://cursor.com) --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
jcger
added a commit
that referenced
this pull request
Mar 18, 2026
## Description
Currently, all Kibana connectors use a shared service account for
authentication. This approach lacks per user level access support, as it
does not distinguish between individual users and service account user
levels of permission. To support more secure, flexible, and user-aware
integrations, we need to introduce per-user authentication for
connectors in Kibana, alongside the existing service account method.
## 2-step release
As there are changes that require a 2-step release, this PR won't add
`oauth_authorization_code` auth type to any connector type. Therefore,
it won't be usable for now. The changes that require a 2-step release
are:
- we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO
- we are adding `refreshToken` as an encrypted attribute for
`connector_token` SO
## Config to run this locally
```
uiSettings:
overrides:
'workflows:ui:enabled': true
server.publicBaseUrl: 'http://localhost:5601'
```
Also, the auth type needs to be used in a connector. Reach out privately
to get the necessary info.
## Involved PRs:
- #246655
- #251873
- #251717
- #252566
- #252104
- #252307
- #252262
- #252501
- #253606
- #254589
- #254916
- Rename rate limit kbn setting 15d2c19
- Fix refresh token 34708e5
---------
Co-authored-by: Sean Story <sean.story@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 18, 2026
## Description
Currently, all Kibana connectors use a shared service account for
authentication. This approach lacks per user level access support, as it
does not distinguish between individual users and service account user
levels of permission. To support more secure, flexible, and user-aware
integrations, we need to introduce per-user authentication for
connectors in Kibana, alongside the existing service account method.
## 2-step release
As there are changes that require a 2-step release, this PR won't add
`oauth_authorization_code` auth type to any connector type. Therefore,
it won't be usable for now. The changes that require a 2-step release
are:
- we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO
- we are adding `refreshToken` as an encrypted attribute for
`connector_token` SO
## Config to run this locally
```
uiSettings:
overrides:
'workflows:ui:enabled': true
server.publicBaseUrl: 'http://localhost:5601'
```
Also, the auth type needs to be used in a connector. Reach out privately
to get the necessary info.
## Involved PRs:
- elastic#246655
- elastic#251873
- elastic#251717
- elastic#252566
- elastic#252104
- elastic#252307
- elastic#252262
- elastic#252501
- elastic#253606
- elastic#254589
- elastic#254916
- Rename rate limit kbn setting 15d2c19
- Fix refresh token 34708e5
---------
Co-authored-by: Sean Story <sean.story@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
## Description
Currently, all Kibana connectors use a shared service account for
authentication. This approach lacks per user level access support, as it
does not distinguish between individual users and service account user
levels of permission. To support more secure, flexible, and user-aware
integrations, we need to introduce per-user authentication for
connectors in Kibana, alongside the existing service account method.
## 2-step release
As there are changes that require a 2-step release, this PR won't add
`oauth_authorization_code` auth type to any connector type. Therefore,
it won't be usable for now. The changes that require a 2-step release
are:
- we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO
- we are adding `refreshToken` as an encrypted attribute for
`connector_token` SO
## Config to run this locally
```
uiSettings:
overrides:
'workflows:ui:enabled': true
server.publicBaseUrl: 'http://localhost:5601'
```
Also, the auth type needs to be used in a connector. Reach out privately
to get the necessary info.
## Involved PRs:
- elastic#246655
- elastic#251873
- elastic#251717
- elastic#252566
- elastic#252104
- elastic#252307
- elastic#252262
- elastic#252501
- elastic#253606
- elastic#254589
- elastic#254916
- Rename rate limit kbn setting 15d2c19
- Fix refresh token 34708e5
---------
Co-authored-by: Sean Story <sean.story@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lorena Bălan <lorena.balan@elastic.co>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addressing #246655 (review) & #251873 (comment)
Changes:
oauth_stateSO (this SO was first introduced in the feature branch, so we don't need to issue a migration for it, we can just iterate directly)createModelVersionwrapper (as per docs) forconnector_tokenSO. In the feature branch we had enhanced the object by addingrefreshTokenExpiresAtas a new AAD andrefreshTokenas a new encrypted field.expiresAtwas also turned into an optional field.Testing
Tests run by default with the
oauth_authorization_codefeature flag disabled. In order to check the tests with it enabled you need to modifyx-pack/platform/plugins/shared/encrypted_saved_objects/integration_tests/ci_checks/check_registered_types.test.ts:ESO_TYPES_COUNTto 21 (the extra models registered areoauth_stateanduser_connector_token)beforeAll()to containRun both
and
You should see updates to
toMatchInlineSnapshotin the tests likeMisc
Old question
What's not entirely clear to me is release strategy for the connectors-auth-code-grant feature branch, given https://docs.elastic.dev/kibana-dev-docs/key-concepts/encrypted-saved-objects-intro#serverless-considerations
Do we need to first merge a small PR to
mainthat adds therefreshTokenExpiresAtfield to theconnector_tokenSO, then wait a day and merge the rest of the feature branch?Answer: #252735 (review)