[ResponseOps][Connectors] Add auth mode to auth types by jcger · Pull Request #252307 · elastic/kibana

jcger · 2026-02-09T12:55:28Z

Summary

Closes #252277

This PR will be merged into a feature branch

js-jankisalvi

LGTM

elasticmachine · 2026-02-09T15:17:23Z

💔 Build Failed

Buildkite Build
Commit: 1762eb7

Failed CI Steps

Test Failures

[job] [logs] Jest Integration Tests #8 / checking changes on all registered encrypted SO types detecting changes to encryption registration definitions
[job] [logs] Jest Integration Tests #8 / checking changes on all registered encrypted SO types detecting changes to encryption registration definitions
[job] [logs] Jest Integration Tests #8 / checking changes on all registered encrypted SO types detecting new model versions in registered encrypted types
[job] [logs] Jest Integration Tests #8 / checking changes on all registered encrypted SO types detecting new model versions in registered encrypted types
[job] [logs] FTR Configs #18 / Discover alerting Search source Alert should check that there are no errors detected after an alert is created
[job] [logs] FTR Configs #18 / Discover alerting Search source Alert should check that there are no errors detected after an alert is created
[job] [logs] FTR Configs #103 / integrations When on the Trusted Apps list "before all" hook for "should not show page title if there is no trusted app"
[job] [logs] Scout: [ platform / streams_app-serverless-oblt ] plugin / serverless-oblt - Stream data processing - data sources management - should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-serverless-oblt ] plugin / serverless-oblt - Stream data processing - data sources management - should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-stateful ] plugin / should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-serverless-oblt ] plugin / should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-serverless-oblt ] plugin / should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-stateful ] plugin / should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-stateful ] plugin / stateful - Stream data processing - data sources management - should allow adding a new kql data source
[job] [logs] Scout: [ platform / streams_app-stateful ] plugin / stateful - Stream data processing - data sources management - should allow adding a new kql data source

Metrics [docs]

‼️ ERROR: no builds found for mergeBase sha [d5913de]

History

## Summary Closes elastic#252277 This PR will be merged into a feature branch

## Description Currently, all Kibana connectors use a shared service account for authentication. This approach lacks per user level access support, as it does not distinguish between individual users and service account user levels of permission. To support more secure, flexible, and user-aware integrations, we need to introduce per-user authentication for connectors in Kibana, alongside the existing service account method. ## 2-step release As there are changes that require a 2-step release, this PR won't add `oauth_authorization_code` auth type to any connector type. Therefore, it won't be usable for now. The changes that require a 2-step release are: - we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO - we are adding `refreshToken` as an encrypted attribute for `connector_token` SO ## Config to run this locally ``` uiSettings: overrides: 'workflows:ui:enabled': true server.publicBaseUrl: 'http://localhost:5601' ``` Also, the auth type needs to be used in a connector. Reach out privately to get the necessary info. ## Involved PRs: - #246655 - #251873 - #251717 - #252566 - #252104 - #252307 - #252262 - #252501 - #253606 - #254589 - #254916 - Rename rate limit kbn setting 15d2c19 - Fix refresh token 34708e5 --------- Co-authored-by: Sean Story <sean.story@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Lorena Bălan <lorena.balan@elastic.co> Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com> Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>

## Description Currently, all Kibana connectors use a shared service account for authentication. This approach lacks per user level access support, as it does not distinguish between individual users and service account user levels of permission. To support more secure, flexible, and user-aware integrations, we need to introduce per-user authentication for connectors in Kibana, alongside the existing service account method. ## 2-step release As there are changes that require a 2-step release, this PR won't add `oauth_authorization_code` auth type to any connector type. Therefore, it won't be usable for now. The changes that require a 2-step release are: - we are adding `refreshTokenExpiresAt` to AAD for `connector_token` SO - we are adding `refreshToken` as an encrypted attribute for `connector_token` SO ## Config to run this locally ``` uiSettings: overrides: 'workflows:ui:enabled': true server.publicBaseUrl: 'http://localhost:5601' ``` Also, the auth type needs to be used in a connector. Reach out privately to get the necessary info. ## Involved PRs: - elastic#246655 - elastic#251873 - elastic#251717 - elastic#252566 - elastic#252104 - elastic#252307 - elastic#252262 - elastic#252501 - elastic#253606 - elastic#254589 - elastic#254916 - Rename rate limit kbn setting 15d2c19 - Fix refresh token 34708e5 --------- Co-authored-by: Sean Story <sean.story@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Lorena Bălan <lorena.balan@elastic.co> Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com> Co-authored-by: Dennis Tismenko <dennis.tismenko@elastic.co>

first commit

1762eb7

jcger requested a review from a team as a code owner February 9, 2026 12:55

js-jankisalvi approved these changes Feb 9, 2026

View reviewed changes

jcger mentioned this pull request Feb 9, 2026

[Connectors v2] OAuth 2.0 Authorization Code Grant #252369

Merged

jcger merged commit 01cf3be into elastic:connectors-auth-code-grant Feb 9, 2026
14 of 15 checks passed

dennis-tismenko pushed a commit to dennis-tismenko/kibana that referenced this pull request Feb 18, 2026

[ResponseOps][Connectors] Add auth mode to auth types (elastic#252307)

b6807a1

## Summary Closes elastic#252277 This PR will be merged into a feature branch

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ResponseOps][Connectors] Add auth mode to auth types#252307

[ResponseOps][Connectors] Add auth mode to auth types#252307
jcger merged 1 commit intoelastic:connectors-auth-code-grantfrom
jcger:issue-252277-add-auth-mode-to-auth-types

jcger commented Feb 9, 2026 •

edited

Loading

Uh oh!

js-jankisalvi left a comment

Uh oh!

elasticmachine commented Feb 9, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jcger commented Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Uh oh!

js-jankisalvi left a comment

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

💔 Build Failed

Failed CI Steps

Test Failures

Metrics [docs]

History

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jcger commented Feb 9, 2026 •

edited

Loading

elasticmachine commented Feb 9, 2026 •

edited

Loading