elastic · lorenabalan · Mar 31, 2026 · Feb 4, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2402,6 +2402,12 @@ x-pack/platform/plugins/shared/inference_endpoint @elastic/search-kibana
 /x-pack/platform/test/fixtures/es_archives/alerting/8_2_0 @elastic/response-ops
 /x-pack/solutions/**/test/serverless/**/test_suites/rules/ @elastic/response-ops
 
+# EARS
+/x-pack/platform/plugins/shared/actions/server/lib/ears @elastic/workchat-eng
+x-pack/platform/plugins/shared/actions/server/lib/axios_auth_strategies/ears_strategy.ts @elastic/workchat-eng @elastic/response-ops
+x-pack/platform/plugins/shared/actions/server/lib/axios_auth_strategies/ears_strategy.test.ts @elastic/workchat-eng @elastic/response-ops
+/src/platform/packages/shared/kbn-connector-specs/src/auth_types/ears.ts @elastic/workchat-eng
+
 # Connector Specs
 src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
 src/platform/packages/shared/kbn-connector-specs/src/connector_icons_map.ts

@@ -11,6 +11,7 @@ export * as connectorsSpecs from './src/all_specs';
 export type * from './src/connector_spec';
 
 export * as authTypeSpecs from './src/all_auth_types';
+export { EARS_PROVIDERS } from './src/auth_types/ears';
 
 export { getConnectorSpec } from './src/get_connector_spec';
 export { getWorkflowTemplatesForConnector } from './src/get_workflow_templates';
@@ -14,6 +14,7 @@ export * from './auth_types/basic';
 export * from './auth_types/none';
 export * from './auth_types/oauth';
 export * from './auth_types/oauth_authorization_code';
+export { Ears } from './auth_types/ears';
 
 // Skipping PFX and CRT exports for now as they will require updates to
 // the formbuilder to support file upload fields.

@@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod/v4';
+import type { AxiosInstance } from 'axios';
+import type { AuthContext, AuthTypeSpec } from '../connector_spec';
+import * as i18n from './translations';
+
+export const EARS_PROVIDERS = ['google', 'microsoft', 'slack'] as const;
+
+const authSchema = z
+  .object({
+    provider: z.enum(EARS_PROVIDERS).meta({ hidden: true }),
+    scope: z.string().meta({ label: i18n.OAUTH_SCOPE_LABEL }).optional(),
+  })
+  .meta({ label: i18n.EARS_LABEL });
+
+type AuthSchemaType = z.infer<typeof authSchema>;
+
+/**
+ * EARS (Elastic Authentication Redirect Service) OAuth Flow
+ *
+ * EARS is an OAuth proxy that manages client credentials (clientId/clientSecret)
+ * on behalf of the user. Instead of users creating their own OAuth apps for each
+ * 3rd party, they can rely on the Elastic-owned apps for simplicity.
+ * Therefore, connectors using EARS don't require users to input any
+ * client credentials — EARS already knows them.
+ *
+ * EARS Redirect Flow:
+ * 1. On `/_start_oauth_flow`, Kibana builds EARS authorize URL with callback_uri, state, scope, pkce_challenge, pkce_method, and redirects to it
+ * 2. User visits EARS authorize URL → EARS redirects to OAuth provider and shows auth screen to user, in order for them to enter their credentials and authorize scopes
+ * 3. OAuth provider redirects back to EARS with authz code & state
+ * 4. EARS redirects to callback_uri (Kibana's `/_oauth_callback`) with authz code & state
+ * 5. Kibana then exchanges code via EARS token endpoint: POST {earsTokenUrl} with code & pkce_verifier in the JSON body
+ * 6. Tokens are auto-refreshed when expired during connector execution
+ */
+export const Ears: AuthTypeSpec<AuthSchemaType> = {
+  id: 'ears',
+  schema: authSchema,
+  authMode: 'per-user',
+  configure: async (
+    ctx: AuthContext,
+    axiosInstance: AxiosInstance,
+    secret: AuthSchemaType
+  ): Promise<AxiosInstance> => {
+    let token;
+    try {
+      token = await ctx.getToken({
+        authType: 'ears',
+        provider: secret.provider,
+        scope: secret.scope,
+      });
+    } catch (error) {
+      throw new Error(
+        `Unable to retrieve/refresh the access token. User may need to re-authorize: ${error.message}`
+      );
+    }
+
+    if (!token) {
+      throw new Error(`No access token available. User must complete OAuth authorization flow.`);
+    }
+
+    // set global defaults
+    axiosInstance.defaults.headers.common.Authorization = token;
+
+    return axiosInstance;
+  },
+};
@@ -47,6 +47,7 @@ export const OAuth: AuthTypeSpec<AuthSchemaType> = {
     let token;
     try {
       token = await ctx.getToken({
+        authType: 'oauth',
         tokenUrl: secret.tokenUrl,
         scope: secret.scope,
         clientId: secret.clientId,

@@ -94,6 +94,7 @@ export const OAuthAuthorizationCode: AuthTypeSpec<AuthSchemaType> = {
     let token;
     try {
       token = await ctx.getToken({
+        authType: 'oauth',
         tokenUrl: secret.tokenUrl,
         scope: secret.scope,
         clientId: secret.clientId,

@@ -219,3 +219,7 @@ export const AWS_SECRET_ACCESS_KEY_REQUIRED_MESSAGE = i18n.translate(
     defaultMessage: 'Secret Access Key is required',
   }
 );
+
+export const EARS_LABEL = i18n.translate('connectorSpecs.ears.label', {
+  defaultMessage: 'OAuth 2.0 via Elastic-owned apps',
+});
@@ -78,7 +78,8 @@ export interface ConnectorMetadata {
 // OAuth2, SSL/mTLS, AWS SigV4 → Phase 2 (see connector_rfc.ts)
 
 // Auth schemas defined in ./auth_types
-export interface GetTokenOpts {
+export interface OAuthGetTokenOpts {
+  authType: 'oauth';
   tokenUrl: string;
   scope?: string;
   clientId: string;
@@ -87,6 +88,14 @@ export interface GetTokenOpts {
   tokenEndpointAuthMethod?: 'client_secret_post' | 'client_secret_basic';
 }
 
+export interface EarsGetTokenOpts {
+  authType: 'ears';
+  provider: string;
+  scope?: string;
+}
+
+export type GetTokenOpts = OAuthGetTokenOpts | EarsGetTokenOpts;
+
 export interface AuthContext {
   getCustomHostSettings: (url: string) => CustomHostSettings | undefined;
   getToken: (opts: GetTokenOpts) => Promise<string | null>;

@@ -47,6 +47,7 @@ const createActionsConfigMock = () => {
     getAwsSesConfig: jest.fn().mockReturnValue(null),
     getEnabledEmailServices: jest.fn().mockReturnValue(['*']),
     getMaxEmailBodyLength: jest.fn().mockReturnValue(DEFAULT_EMAIL_BODY_LENGTH),
+    getEarsUrl: jest.fn().mockReturnValue(undefined),
   };
   return mocked;
 };

@@ -50,6 +50,7 @@ const defaultActionsConfig: ActionsConfig = {
       },
     },
   },
+  ears: {},
 };
 
 describe('ensureUriAllowed', () => {
@@ -770,6 +771,21 @@ describe('getAwsSesConfig()', () => {
   });
 });
 
+describe('getEarsUrl()', () => {
+  test('returns undefined when ears.url is not set in config', () => {
+    const acu = getActionsConfigurationUtilities(defaultActionsConfig);
+    expect(acu.getEarsUrl()).toBeUndefined();
+  });
+
+  test('returns the configured URL when ears.url is set in config', () => {
+    const acu = getActionsConfigurationUtilities({
+      ...defaultActionsConfig,
+      ears: { url: 'https://ears.example.com' },
+    });
+    expect(acu.getEarsUrl()).toBe('https://ears.example.com');
+  });
+});
+
 describe('getEnabledEmailServices()', () => {
   test('returns all services when no email config set', () => {
     const acu = getActionsConfigurationUtilities(defaultActionsConfig);

@@ -75,6 +75,7 @@ export interface ActionsConfigurationUtilities {
   getAwsSesConfig: () => AwsSesConfig;
   getEnabledEmailServices: () => string[];
   getMaxEmailBodyLength: () => number;
+  getEarsUrl(): string | undefined;
 }
 
 function allowListErrorMessage(field: AllowListingField, value: string) {
@@ -283,5 +284,6 @@ export function getActionsConfigurationUtilities(
       const nonNegativeLength = Math.max(0, configuredLength);
       return Math.min(nonNegativeLength, MAX_EMAIL_BODY_LENGTH);
     },
+    getEarsUrl: () => config.ears?.url,
   };
 }
@@ -217,6 +217,11 @@ export const configSchema = schema.object({
       rate_limits: oauthAuthorizationCodeRateLimitsSchema,
     }),
   }),
+  ears: schema.maybe(
+    schema.object({
+      url: schema.maybe(schema.uri({ scheme: ['https'] })),
+    })
+  ),
 });
 
 export type ActionsConfig = TypeOf<typeof configSchema>;

@@ -0,0 +1,138 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+jest.mock('../get_oauth_client_credentials_access_token');
+jest.mock('../delete_token_axios_interceptor');
+
+import type { AxiosInstance } from 'axios';
+import type { GetTokenOpts, OAuthGetTokenOpts } from '@kbn/connector-specs';
+import { loggerMock } from '@kbn/logging-mocks';
+import { actionsConfigMock } from '../../actions_config.mock';
+import { connectorTokenClientMock } from '../connector_token_client.mock';
+import { getOAuthClientCredentialsAccessToken } from '../get_oauth_client_credentials_access_token';
+import { getDeleteTokenAxiosInterceptor } from '../delete_token_axios_interceptor';
+import { DefaultStrategy } from './default_strategy';
+import type { AuthStrategyDeps } from './types';
+
+const mockGetOAuthClientCredentialsAccessToken =
+  getOAuthClientCredentialsAccessToken as jest.MockedFunction<
+    typeof getOAuthClientCredentialsAccessToken
+  >;
+const mockGetDeleteTokenAxiosInterceptor = getDeleteTokenAxiosInterceptor as jest.MockedFunction<
+  typeof getDeleteTokenAxiosInterceptor
+>;
+
+const logger = loggerMock.create();
+const configurationUtilities = actionsConfigMock.create();
+const connectorTokenClient = connectorTokenClientMock.create();
+
+const baseDeps: AuthStrategyDeps = {
+  connectorId: 'connector-1',
+  secrets: {
+    clientId: 'my-client-id',
+    clientSecret: 'my-client-secret',
+    tokenUrl: 'https://provider.example.com/token',
+    scope: 'openid',
+  },
+  connectorTokenClient,
+  logger,
+  configurationUtilities,
+};
+
+const createMockAxiosInstance = () =>
+  ({
+    interceptors: { response: { use: jest.fn() } },
+  } as unknown as AxiosInstance);
+
+describe('DefaultStrategy', () => {
+  let strategy: DefaultStrategy;
+
+  const mockOnFulfilled = jest.fn();
+  const mockOnRejected = jest.fn();
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    strategy = new DefaultStrategy();
+    mockGetDeleteTokenAxiosInterceptor.mockReturnValue({
+      onFulfilled: mockOnFulfilled,
+      onRejected: mockOnRejected,
+    });
+  });
+
+  describe('installResponseInterceptor', () => {
+    it('installs the delete-token cleanup interceptor', () => {
+      const instance = createMockAxiosInstance();
+      strategy.installResponseInterceptor(instance, baseDeps);
+
+      expect(mockGetDeleteTokenAxiosInterceptor).toHaveBeenCalledWith({
+        connectorTokenClient,
+        connectorId: 'connector-1',
+      });
+      expect(instance.interceptors.response.use).toHaveBeenCalledWith(
+        mockOnFulfilled,
+        mockOnRejected
+      );
+    });
+  });
+
+  describe('getToken', () => {
+    it('throws when opts authType is not oauth', async () => {
+      const opts: GetTokenOpts = { authType: 'ears', provider: 'google' };
+      await expect(strategy.getToken(opts, baseDeps)).rejects.toThrow(
+        'DefaultStrategy received non-oauth token opts'
+      );
+    });
+
+    it('delegates to getOAuthClientCredentialsAccessToken with correct args', async () => {
+      mockGetOAuthClientCredentialsAccessToken.mockResolvedValue('Bearer clientcred');
+
+      const opts: OAuthGetTokenOpts = {
+        authType: 'oauth',
+        tokenUrl: 'https://provider.example.com/token',
+        clientId: 'the-client-id',
+        clientSecret: 'the-client-secret',
+        scope: 'openid profile',
+      };
+      const result = await strategy.getToken(opts, baseDeps);
+
+      expect(result).toBe('Bearer clientcred');
+      expect(mockGetOAuthClientCredentialsAccessToken).toHaveBeenCalledWith(
+        expect.objectContaining({
+          connectorId: 'connector-1',
+          tokenUrl: 'https://provider.example.com/token',
+          oAuthScope: 'openid profile',
+          credentials: {
+            config: { clientId: 'the-client-id' },
+            secrets: { clientSecret: 'the-client-secret' },
+          },
+          connectorTokenClient,
+        })
+      );
+    });
+
+    it('includes additionalFields when present in opts', async () => {
+      mockGetOAuthClientCredentialsAccessToken.mockResolvedValue('Bearer token');
+
+      const opts: OAuthGetTokenOpts = {
+        authType: 'oauth',
+        tokenUrl: 'https://provider.example.com/token',
+        clientId: 'id',
+        clientSecret: 'secret',
+        additionalFields: { tenant: 'abc' },
+      };
+      await strategy.getToken(opts, baseDeps);
+
+      expect(mockGetOAuthClientCredentialsAccessToken).toHaveBeenCalledWith(
+        expect.objectContaining({
+          credentials: expect.objectContaining({
+            config: expect.objectContaining({ additionalFields: { tenant: 'abc' } }),
+          }),
+        })
+      );
+    });
+  });
+});