OpenID Connect authenticate API

OpenID Connect authenticate API

New API reference

For the most up-to-date API details, refer to Security APIs.

Submits the response to an oAuth 2.0 authentication request for consumption from Elasticsearch. Upon successful validation, Elasticsearch will respond with an Elasticsearch internal Access Token and Refresh Token that can be subsequently used for authentication.

Request

POST /_security/oidc/authenticate

Description

This API endpoint basically exchanges successful OpenID Connect Authentication responses for Elasticsearch access and refresh tokens to be used for authentication.

Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. See also OpenID Connect prepare authentication API and OpenID Connect logout API

Request body

redirect_uri

(Required, string) The URL to which the OpenID Connect Provider redirected the User Agent in response to an authentication request, after a successful authentication. This URL is expected to be provided as-is (URL encoded), taken from the body of the response or as the value of a Location header in the response from the OpenID Connect Provider.

state

(Required, string) Used to maintain state between the authentication request and the response. This value needs to be the same as the one that was provided to the call to /_security/oidc/prepare earlier, or the one that was generated by Elasticsearch and included in the response to that call.

nonce

(Required, string) Used to associate a Client session with an ID Token and to mitigate replay attacks. This value needs to be the same as the one that was provided to the call to /_security/oidc/prepare earlier, or the one that was generated by Elasticsearch and included in the response to that call.

realm

(Optional, string) Used to identify the name of the OpenID Connect realm that should be used to authenticate this. Useful when multiple realms have been defined.

Examples

The following example request exchanges the response that was returned from the OpenID Connect Provider after a successful authentication, for an Elasticsearch access token and refresh token to be used in subsequent requests. This example is from an authentication that uses the authorization code grant flow.

  1. resp = client.perform_request(
  2. "POST",
  3. "/_security/oidc/authenticate",
  4. headers={"Content-Type": "application/json"},
  5. body={
  6. "redirect_uri": "https://oidc-kibana.elastic.co:5603/api/security/oidc/callback?code=jtI3Ntt8v3_XvcLzCFGq&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  7. "state": "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  8. "nonce": "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
  9. "realm": "oidc1"
  10. },
  11. )
  12. print(resp)
  1. const response = await client.transport.request({
  2. method: "POST",
  3. path: "/_security/oidc/authenticate",
  4. body: {
  5. redirect_uri:
  6. "https://oidc-kibana.elastic.co:5603/api/security/oidc/callback?code=jtI3Ntt8v3_XvcLzCFGq&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  7. state: "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  8. nonce: "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
  9. realm: "oidc1",
  10. },
  11. });
  12. console.log(response);
  1. POST /_security/oidc/authenticate
  2. {
  3. "redirect_uri" : "https://oidc-kibana.elastic.co:5603/api/security/oidc/callback?code=jtI3Ntt8v3_XvcLzCFGq&state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  4. "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  5. "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM",
  6. "realm" : "oidc1"
  7. }

The following example output contains the access token that was generated in response, the amount of time (in seconds) that the token expires in, the type, and the refresh token:

  1. {
  2. "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  3. "type" : "Bearer",
  4. "expires_in" : 1200,
  5. "refresh_token": "vLBPvmAB6KvwvJZr27cS"
  6. }