Skip to content

[Agent Builder] [Bug Bash] OAuth connector settings mention fields that are not there#264756

Merged
ashatova merged 2 commits into
elastic:mainfrom
ashatova:ab-oauth-secrets-callout-copy
Apr 22, 2026
Merged

[Agent Builder] [Bug Bash] OAuth connector settings mention fields that are not there#264756
ashatova merged 2 commits into
elastic:mainfrom
ashatova:ab-oauth-secrets-callout-copy

Conversation

@ashatova
Copy link
Copy Markdown
Contributor

@ashatova ashatova commented Apr 21, 2026

closes - https://github.com/elastic/search-team/issues/13839

Summary

Fixes misleading copy in the connector Encrypted fields info callout when using OAuth 2.0 Authorization Code auth (e.g. Google Drive, Salesforce). The callout listed Authorization URL, Token URL, and Scope even though those inputs are hidden and only Client ID / Client secret are shown.

Root cause

EncryptedFieldsCallout builds its message from every registered secrets.* field that has a label. Hidden OAuth endpoint fields are still registered (so values submit correctly) but were registered with the default field type text, so they were indistinguishable from visible fields.

Changes

  • encrypted_fields_callout.tsx: Ignore fields whose form field type is hidden when collecting labels for the callout.
  • hidden_widget.tsx (@kbn/response-ops-form-generator): Set type: FIELD_TYPES.HIDDEN on UseField config for hidden schema fields so the form registry matches UI behavior.
  • Tests: Assert hidden secrets.* fields are omitted from the create-connector callout copy.

How to test

  1. Stack Management (or Alerts and Insights) → Connectors → create Google Drive (or another spec connector with hidden OAuth defaults).
  2. Choose OAuth 2.0 Authorization Code authentication.
  3. Confirm the blue encrypted-fields callout only references Client ID and Client secret (not Authorization URL, Token URL, or Scope).
Screenshot 2026-04-21 at 16 30 43

@ashatova ashatova requested a review from a team as a code owner April 21, 2026 15:32
@ashatova ashatova added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting v9.4.0 Team:agent-builder labels Apr 21, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 21, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #196 / AgentBuilder Endpoints SML internal API POST /internal/agent_builder/sml/_attach attaches SML items and persists conversation attachment refs
  • [job] [logs] FTR Configs #44 / alerting api integration security and spaces enabled - Group 11 Connectors ServiceNow ITOM ServiceNow ITOM - Executor Execution getChoices should get choices

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
stackConnectors 1.7MB 1.7MB +31.0B
triggersActionsUi 1.8MB 1.8MB +34.0B
total +65.0B

js-jankisalvi
js-jankisalvi approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@js-jankisalvi js-jankisalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verified locally, changes look good 👍

@ashatova ashatova merged commit 774be27 into elastic:main Apr 22, 2026
17 checks passed
mbondyra added a commit to mbondyra/kibana that referenced this pull request Apr 22, 2026
@mbondyra
Merge commit '9a7b717c662d1c904052bc59f0e5a81daab87c7f' into onConver…
7b99a22 
…sationChanges23

* commit '9a7b717c662d1c904052bc59f0e5a81daab87c7f': (145 commits)
  Upgrade EUI to v114.2.0 (elastic#264550)
  [Entity Analytics] Add missing OpenAPI descriptions and examples to p… (elastic#264778)
  [Entity Resolution] Clarify CSV upload result for already-linked entities (elastic#264689)
  [AI Infra] Fix failing GenAI Settings Scout tests (elastic#260496)
  [Agent Builder] [Bug Bash] OAuth connector settings mention fields that are not there (elastic#264756)
  [performance] process-wide cache for advanced settings lookup (elastic#262618)
  [CI] Update limits.yml for securitySolution (elastic#264946)
  [SLO] Fix APM embeddable ids (elastic#264750)
  [EDR Workflows] Unify artifacts empty state buttons (elastic#264389)
  [Alert Triage workflow] Adds security.buildAlertEntityGraph and security.renderAlertNarrative… (elastic#259159)
  [SigEvents] Add KI feature identification endpoints and refactor task to use shared service (elastic#263528)
  [Scout] Migrate Data Views API tests from FTR - Part5 (elastic#264088)
  [Cases] Apply shared extended_fields path util server side (elastic#264706)
  [Lens as code] Fix metric trendline (elastic#264777)
  [api-docs] 2026-04-22 Daily api_docs build (elastic#264882)
  [Scout] Update test config manifests (elastic#264575)
  [workflows_management] Lazy-load Zod connector schemas to cut idle memory (elastic#264283)
  [ES|QL] Fix ES|QL columns reset race during active fetch (elastic#263947)
  [Content List] Column layout props, sticky actions, and title click handlers (elastic#264203)
  [Lens as code] Validate `id` in route for new vis types (elastic#264480)
  ...
@kibanamachine kibanamachine mentioned this pull request Apr 22, 2026
Merged
3 tasks
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Apr 27, 2026
@ashatova @SoniaSanzV
[Agent Builder] [Bug Bash] OAuth connector settings mention fields th…
326ec74 
…at are not there (elastic#264756)

closes - elastic/search-team#13839

## Summary

Fixes misleading copy in the connector **Encrypted fields** info callout
when using OAuth 2.0 Authorization Code auth (e.g. Google Drive,
Salesforce). The callout listed **Authorization URL**, **Token URL**,
and **Scope** even though those inputs are hidden and only **Client ID**
/ **Client secret** are shown.

## Root cause

`EncryptedFieldsCallout` builds its message from every registered
`secrets.*` field that has a `label`. Hidden OAuth endpoint fields are
still registered (so values submit correctly) but were registered with
the default field type `text`, so they were indistinguishable from
visible fields.

## Changes

- **`encrypted_fields_callout.tsx`**: Ignore fields whose form field
type is `hidden` when collecting labels for the callout.
- **`hidden_widget.tsx`** (`@kbn/response-ops-form-generator`): Set
`type: FIELD_TYPES.HIDDEN` on `UseField` config for hidden schema fields
so the form registry matches UI behavior.
- **Tests**: Assert hidden `secrets.*` fields are omitted from the
create-connector callout copy.

## How to test

1. **Stack Management** (or **Alerts and Insights**) → **Connectors** →
create **Google Drive** (or another spec connector with hidden OAuth
defaults).
2. Choose **OAuth 2.0 Authorization Code** authentication.
3. Confirm the blue encrypted-fields callout only references **Client
ID** and **Client secret** (not Authorization URL, Token URL, or Scope).


<img width="686" height="856" alt="Screenshot 2026-04-21 at 16 30 43"
src="https://github.com/user-attachments/assets/b8651d1a-5702-4407-96b9-d70ce5575711"
/>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zacharyparikh zacharyparikh zacharyparikh approved these changes

@js-jankisalvi js-jankisalvi js-jankisalvi approved these changes

Assignees

No one assigned

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:agent-builder v9.4.0 v9.5.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ashatova @elasticmachine @zacharyparikh @js-jankisalvi @kibanamachine