Merge branch 'connectors-auth-code-grant' of github.com:elastic/kibana into issue-250979-user-token-so

jcger · jcger · commit d949bf54e1a4 · 2026-02-13T16:11:24.000+01:00
diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
@@ -150,7 +150,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "ml-module": "cb77705b41ea0a35d8ba79b19014a30069e0e93a2cfb7ae8c6f20a79207d5daa",
         "ml-trained-model": "133305438dc0b60a6660c44f0d8183ad5ba079db8fdd4e4f4b5ab3a09d2f29b8",
         "monitoring-telemetry": "fa7c4f2a099b4f0539e571372a598601c2a0c65ba50f6c34df23b4d6925cdc53",
-        "oauth_state": "dba837d6453b71f02f3aedc40a85bb161267e50203058ecab83a6b918376065f",
+        "oauth_state": "8902d67a5fb68ccea1f3a63100dc45b84a764c786dd13d77b75ca5a901f42335",
         "observability-onboarding-state": "b656db675800bfee8a2ddb5bf73b543542c7a7db64ed268ab5adcae6910773d2",
         "osquery-manager-usage-metric": "8833b9f812e9179897444c395761f9911945cfb77de9869c4e9b6ee6eeb0f573",
         "osquery-pack": "7ee940ea04c9c562406977efaa213050b2079c5bcc4e06ec56c8be6a85eb5ccd",
@@ -996,7 +996,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "oauth_state|global: a665293b001c9e7b6e92c0a50a553b8163dbcd41",
         "oauth_state|mappings: 04721e2fa836fed1f3f2e9c343d96ec5304f8f09",
         "oauth_state|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
-        "oauth_state|10.1.0: 6e761629347d967babaf76618a126851715a8156e27de8198f27248bd894edb9",
+        "oauth_state|10.1.0: 8324da0f847d48f9b0de638008110b966275a95f53d3efc9242fe25f5a2f1f13",
         "====================================================================================",
         "observability-onboarding-state|global: c226ba4dd0412c2d7fd7a01976461e9da00b78bf",
         "observability-onboarding-state|mappings: d6efe91e6efcc5e1b41fac37b731b715182939ce",
diff --git a/x-pack/platform/plugins/shared/actions/server/lib/oauth_authorization_service.ts b/x-pack/platform/plugins/shared/actions/server/lib/oauth_authorization_service.ts
@@ -65,7 +65,6 @@ interface ConnectorWithOAuth {
 interface ConstructorOptions {
   actionsClient: ActionsClient;
   encryptedSavedObjectsClient: EncryptedSavedObjectsClient;
-  kibanaBaseUrl: string;
 }
 
 /**
@@ -79,12 +78,10 @@ interface ConstructorOptions {
 export class OAuthAuthorizationService {
   private readonly actionsClient: ActionsClient;
   private readonly encryptedSavedObjectsClient: EncryptedSavedObjectsClient;
-  private readonly kibanaBaseUrl: string;
 
-  constructor({ actionsClient, encryptedSavedObjectsClient, kibanaBaseUrl }: ConstructorOptions) {
+  constructor({ actionsClient, encryptedSavedObjectsClient }: ConstructorOptions) {
     this.actionsClient = actionsClient;
     this.encryptedSavedObjectsClient = encryptedSavedObjectsClient;
-    this.kibanaBaseUrl = kibanaBaseUrl;
   }
 
   /**
@@ -152,16 +149,17 @@ export class OAuthAuthorizationService {
    * The redirect URI is where the OAuth provider will send the user after authorization.
    * It points to the oauth_callback route in this Kibana instance.
    *
+   * @param publicBaseUrl - The Kibana public base URL (`server.publicBaseUrl`)
    * @returns The complete redirect URI
    * @throws Error if Kibana public base URL is not configured
    */
-  getRedirectUri(): string {
-    if (!this.kibanaBaseUrl) {
+  static getRedirectUri(publicBaseUrl: string | undefined): string {
+    if (!publicBaseUrl) {
       throw new Error(
         'Kibana public URL not configured. Please set server.publicBaseUrl in kibana.yml'
       );
     }
-    return `${this.kibanaBaseUrl}${BASE_ACTION_API_PATH}/connector/_oauth_callback`;
+    return `${publicBaseUrl}${BASE_ACTION_API_PATH}/connector/_oauth_callback`;
   }
 
   /**
diff --git a/x-pack/platform/plugins/shared/actions/server/lib/oauth_state_client.ts b/x-pack/platform/plugins/shared/actions/server/lib/oauth_state_client.ts
@@ -19,7 +19,6 @@ interface OAuthStateAttributes {
   state: string;
   codeVerifier: string;
   connectorId: string;
-  redirectUri: string;
   kibanaReturnUrl: string;
   spaceId: string;
   createdAt: string;
@@ -39,7 +38,6 @@ interface ConstructorOptions {
 
 interface CreateStateOptions {
   connectorId: string;
-  redirectUri: string;
   kibanaReturnUrl: string;
   spaceId: string;
   createdBy?: string;
@@ -79,7 +77,6 @@ export class OAuthStateClient {
    */
   public async create({
     connectorId,
-    redirectUri,
     kibanaReturnUrl,
     spaceId,
     createdBy,
@@ -103,7 +100,6 @@ export class OAuthStateClient {
             state,
             codeVerifier,
             connectorId,
-            redirectUri,
             kibanaReturnUrl,
             spaceId,
             createdAt: now.toISOString(),
diff --git a/x-pack/platform/plugins/shared/actions/server/routes/oauth_authorize.ts b/x-pack/platform/plugins/shared/actions/server/routes/oauth_authorize.ts
@@ -92,7 +92,6 @@ export const oauthAuthorizeRoute = (
             encryptedSavedObjectsClient: encryptedSavedObjects.getClient({
               includedHiddenTypes: ['action'],
             }),
-            kibanaBaseUrl: kibanaUrl,
           });
 
           const spaceId = spaces ? spaces.spacesService.getSpaceId(req) : 'default';
@@ -101,7 +100,7 @@ export const oauthAuthorizeRoute = (
             namespace = spaces.spacesService.spaceIdToNamespace(spaceId);
           }
           const oauthConfig = await oauthService.getOAuthConfig(connectorId, namespace);
-          const redirectUri = oauthService.getRedirectUri();
+          const redirectUri = OAuthAuthorizationService.getRedirectUri(kibanaUrl);
 
           // Validate and build return URL for post-OAuth redirect
           const requestedReturnUrl = req.body?.returnUrl;
@@ -137,7 +136,6 @@ export const oauthAuthorizeRoute = (
           });
           const { state, codeChallenge } = await oauthStateClient.create({
             connectorId,
-            redirectUri,
             kibanaReturnUrl,
             spaceId,
           });
diff --git a/x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts b/x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts
@@ -8,6 +8,7 @@
 import { schema } from '@kbn/config-schema';
 import type { CoreSetup, IRouter, Logger } from '@kbn/core/server';
 import { i18n } from '@kbn/i18n';
+import { escape } from 'lodash';
 import type { ActionsPluginsStart } from '../plugin';
 import type { ILicenseState } from '../lib';
 import { BASE_ACTION_API_PATH } from '../../common';
@@ -16,6 +17,7 @@ import type { ActionsConfigurationUtilities } from '../actions_config';
 import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 import { verifyAccessAndContext } from './verify_access_and_context';
 import { OAuthStateClient } from '../lib/oauth_state_client';
+import { OAuthAuthorizationService } from '../lib/oauth_authorization_service';
 import { requestOAuthAuthorizationCodeToken } from '../lib/request_oauth_authorization_code_token';
 import { ConnectorTokenClient } from '../lib/connector_token_client';
 import type { OAuthRateLimiter } from '../lib/oauth_rate_limiter';
@@ -104,14 +106,18 @@ function generateOAuthCallbackPage({
 }): string {
   const iconColor = isSuccess ? '#00BFB3' : '#BD271E';
   const icon = isSuccess ? '✓' : '✕';
+  const sanitisedTitle = escape(title);
+  const sanitisedHeading = escape(heading);
+  const sanitisedMessage = escape(message);
+  const sanitisedDetails = details ? escape(details) : '';
 
   return `
     <!DOCTYPE html>
     <html lang="en">
       <head>
         <meta charset="utf-8">
         <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>${title}</title>
+        <title>${sanitisedTitle}</title>
         <style>
           * {
             margin: 0;
@@ -191,9 +197,9 @@ function generateOAuthCallbackPage({
       <body>
         <div class="container">
           <div class="icon">${icon}</div>
-          <h1>${heading}</h1>
-          <p>${message}</p>
-          ${details ? `<div class="details">${details}</div>` : ''}
+          <h1>${sanitisedHeading}</h1>
+          <p>${sanitisedMessage}</p>
+          ${sanitisedDetails ? `<div class="details">${sanitisedDetails}</div>` : ''}
           ${
             autoClose
               ? '<p style="display: none; margin-top: 16px;" class="auto-close-message">This window will close automatically, or you can close it manually.</p>'
@@ -312,7 +318,7 @@ export const oauthCallbackRoute = (
         }
 
         try {
-          const [, { encryptedSavedObjects }] = await coreSetup.getStartServices();
+          const [coreStart, { encryptedSavedObjects, spaces }] = await coreSetup.getStartServices();
 
           // Retrieve and validate state
           const oauthStateClient = new OAuthStateClient({
@@ -339,16 +345,20 @@ export const oauthCallbackRoute = (
             });
           }
 
-          // Get connector with decrypted secrets
+          // Get connector with decrypted secrets using the spaceId from the OAuth state
           const connectorEncryptedClient = encryptedSavedObjects.getClient({
             includedHiddenTypes: ['action'],
           });
+          const namespace =
+            spaces && oauthState.spaceId
+              ? spaces.spacesService.spaceIdToNamespace(oauthState.spaceId)
+              : undefined;
           const rawAction = await connectorEncryptedClient.getDecryptedAsInternalUser<{
             actionTypeId: string;
             name: string;
             config: OAuthConnectorConfig;
             secrets: OAuthConnectorSecrets;
-          }>('action', oauthState.connectorId);
+          }>('action', oauthState.connectorId, { namespace });
 
           const config = rawAction.attributes.config;
           const secrets = rawAction.attributes.secrets;
@@ -363,13 +373,18 @@ export const oauthCallbackRoute = (
             );
           }
 
+          // Build the redirect URI (must match the one sent to the authorization endpoint)
+          const redirectUri = OAuthAuthorizationService.getRedirectUri(
+            coreStart.http.basePath.publicBaseUrl
+          );
+
           // Exchange authorization code for tokens
           const tokenResult = await requestOAuthAuthorizationCodeToken(
             tokenUrl,
             logger,
             {
               code,
-              redirectUri: oauthState.redirectUri,
+              redirectUri,
               codeVerifier: oauthState.codeVerifier,
               clientId,
               clientSecret,
diff --git a/x-pack/platform/plugins/shared/actions/server/saved_objects/index.ts b/x-pack/platform/plugins/shared/actions/server/saved_objects/index.ts
@@ -196,14 +196,12 @@ export function setupSavedObjects(
       };
     },
   });
-
   encryptedSavedObjects.registerType({
     type: OAUTH_STATE_SAVED_OBJECT_TYPE,
     attributesToEncrypt: new Set(['codeVerifier']),
     attributesToIncludeInAAD: new Set([
       'state',
       'connectorId',
-      'redirectUri',
       'authorizationUrl',
       'scope',
       'spaceId',
diff --git a/x-pack/platform/plugins/shared/actions/server/saved_objects/schemas/raw_oauth_state/v1.ts b/x-pack/platform/plugins/shared/actions/server/saved_objects/schemas/raw_oauth_state/v1.ts
@@ -11,7 +11,6 @@ export const rawOAuthStateSchema = schema.object({
   state: schema.string(),
   codeVerifier: schema.string(),
   connectorId: schema.string(),
-  redirectUri: schema.string(),
   scope: schema.maybe(schema.string()),
   kibanaReturnUrl: schema.string(), // in case of OAuth success, redirect to this URL
   spaceId: schema.string(), // the space where the connector exists
diff --git a/x-pack/platform/plugins/shared/encrypted_saved_objects/integration_tests/ci_checks/check_registered_types.test.ts b/x-pack/platform/plugins/shared/encrypted_saved_objects/integration_tests/ci_checks/check_registered_types.test.ts
@@ -77,7 +77,11 @@ describe('checking changes on all registered encrypted SO types', () => {
         "fleet-uninstall-tokens": "6e7d75921dcce46e566f175eab1b0e3825fe565f20cdb3c984e7037934d61e23",
         "ingest-download-sources": "23eb3cf789fe13b4899215c6f919705b8a44b89f8feba7181e1f5db3c7699d40",
         "ingest-outputs": "d66716d5333484a25c57f7917bead5ac2576ec57a4b9eb61701b573f35ab62ad",
+<<<<<<< HEAD
         "oauth_state": "192a6c868fd863d8d14c33cc3357a3c61de3acca48b4a8ccb3a5e29ba465f4d7",
+=======
+        "oauth_state": "90050be54da9ef0e0059b14eb634af1165374618055289365f8cfebba24ddcdb",
+>>>>>>> f1e5cf2909709f35cf539b848b087a775364bbb8
         "privmon-api-key": "7d7b76b3bc5287a784518731ba66d4f761052177fc04b1a85e5605846ab9de42",
         "synthetics-monitor": "f1c060b7be3b30187c4adcb35d74f1fa8a4290bd7faf04fec869de2aa387e21b",
         "synthetics-monitor-multi-space": "39c4c6abd28c4173f77c1c89306e92b6b92492c0029274e10620a170be4d4a67",
