[Auth] Added authentication strategy for UIAM OAuth

[elena-shostak]

Summary

Added authentication strategy for UIAM OAuth.

---

How to check

## Start Scout servers
$ node scripts/scout.js start-server --arch serverless --domain security_complete --serverConfigSet uiam_local

## Run Scout tests
$ npx playwright test --config x-pack/platform/plugins/shared/security/test/scout_uiam_local/api/parallel.playwright.config.ts \
  --project local \
  --grep "UIAM OAuth token exchange"

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

Closes: https://github.com/elastic/kibana-team/issues/2754

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

ACK: Sorry for the delay, will finish review today.

[azasypkin]

Looks good! Just a few questions and suggestions.

[azasypkin]

note: I'm fine with the dedicated option, but options.config.uiam?.enabled is also available in the provider, since we always pass the full options object to the constructor via can use it directly.

[azasypkin]

note: I see you pass this config value to set acceptUiamOAuth in the HTTP auth provider, but we also pass options.uiam to every provider (including HTTP), which is only non-null when options.config.uiam?.enabled is true. That's what we rely on in the SAML authc provider to decide whether we need to support UIAM flows. Dedicated option is fine by me too, but relying on options.uiam might be simpler and more consistent with the rest of the code base.

[azasypkin]

question: do you know if there will be a way to distinguish OAuth UIAM tokens from any other UIAM credentials?

Since these are the only ones that come from outside with Bearer scheme it's not a problem for us, but it'd be great if these could be easily distinguishable these from other types of credentials.

[elena-shostak]

hmm, seems there is no easy way to do that, it has different type claim, but it doesn't help us much

[azasypkin]

Roger that, thanks for checking!

[azasypkin]

question: I'm wondering if it would be safer to do this inside the UIAM service itself, so we don't have to depend on the consumer to perform the check for us (and we won't need to pass expected audience as argument)?

[elena-shostak]

https://github.com/elastic/kibana/pull/256182/changes#diff-b18af47b9dc65be9cce719afafcd71875bd504c197bbc8c52de568a390967e2fR439-R442 I have added UiamServiceOptions that passes down es and kibana urls, so we can incapsulate the audience check inside exchangeOAuthToken method. Lmk if that's okay with you

[azasypkin]

Yep, looks good to me, thanks 👍

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: b7b020f

Failed CI Steps

• Jest Tests #6
• Jest Tests #11
• Jest Tests #11
• FTR Configs #84
• Agent Builder API Smoke Tests #1

Test Failures

• [job] [logs] Agent Builder API Smoke Tests #1 / Agent Builder - LLM Smoke tests EIS Models (dynamically configured) Connector: google-gemini-3.1-pro can continue a text conversation
• [job] [logs] Jest Tests #6 / discover responsive sidebar should render buttons in data view picker correctly
• [job] [logs] Jest Tests #11 / Security Plugin start() exposes proper contract
• [job] [logs] Jest Tests #11 / Security Plugin start() exposes proper contract

History

• 💔 Build #418926 failed 6b98d39
• 💛 Build #418790 was flaky 0115f85
• 💛 Build #406219 was flaky e9d19c8
• 💔 Build #406186 failed 9fb4d22