mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 07:37:19 -04:00
2351bb399c
* Adding authentication information to access token create APIs
Adding authentication object to following APIs:
/_security/oauth2/token
/_security/delegate_pki
/_security/saml/authenticate
/_security/oidc/authenticate
Resolves: #59685
(cherry picked from commit 51dbd9e584)
* Addressing PR commends, fixing tests
* Returning tokenGroups attribute as SID string instead of byte array (AD metadata)
Addressing PR comments
* Returning tokenGroups attribute as SID string instead of byte array (AD metadata)
Update version check
* Returning tokenGroups attribute as SID string instead of byte array (AD metadata)
Update version check
* Addressing more PR comments
* Adding more to integration tests + some small fixes
88 lines
3.8 KiB
Text
88 lines
3.8 KiB
Text
[role="xpack"]
|
|
[[java-rest-high-security-create-token]]
|
|
=== Create Token API
|
|
|
|
[[java-rest-high-security-create-token-request]]
|
|
==== Request
|
|
The `CreateTokenRequest` supports three different OAuth2 _grant types_:
|
|
|
|
===== Password Grants
|
|
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-password-request]
|
|
--------------------------------------------------
|
|
|
|
===== Refresh Token Grants
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-refresh-request]
|
|
--------------------------------------------------
|
|
|
|
===== Client Credential Grants
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-client-credentials-request]
|
|
--------------------------------------------------
|
|
|
|
[[java-rest-high-security-create-token-execution]]
|
|
==== Execution
|
|
|
|
Creating a OAuth2 security token can be performed by passing the appropriate request to the
|
|
`security().createToken()` method:
|
|
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-execute]
|
|
--------------------------------------------------
|
|
|
|
[[java-rest-high-security-create-token-response]]
|
|
==== Response
|
|
|
|
The returned `CreateTokenResponse` contains the following properties:
|
|
|
|
`accessToken`:: This is the newly created access token.
|
|
It can be used to authenticate to the Elasticsearch cluster.
|
|
`type`:: The type of the token, this is always `"Bearer"`.
|
|
`expiresIn`:: The length of time until the token will expire.
|
|
The token will be considered invalid after that time.
|
|
`scope`:: The scope of the token. May be `null`.
|
|
`refreshToken`:: A secondary "refresh" token that may be used to extend
|
|
the life of an access token. May be `null`.
|
|
`authentication`:: This is the authentication object for the newly created token. See also
|
|
<<{upid}-authenticate-response, authenticate response>> for details.
|
|
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-response]
|
|
--------------------------------------------------
|
|
<1> The `accessToken` can be used to authentication to Elasticsearch.
|
|
<2> The `refreshToken` can be used in to create a new `CreateTokenRequest` with a `refresh_token` grant.
|
|
|
|
[[java-rest-high-security-create-token-async]]
|
|
==== Asynchronous Execution
|
|
|
|
This request can be executed asynchronously using the `security().createTokenAsync()`
|
|
method:
|
|
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-execute-async]
|
|
--------------------------------------------------
|
|
<1> The `CreateTokenRequest` to execute and the `ActionListener` to use when
|
|
the execution completes
|
|
|
|
The asynchronous method does not block and returns immediately. Once the request
|
|
has completed the `ActionListener` is called back using the `onResponse` method
|
|
if the execution successfully completed or using the `onFailure` method if
|
|
it failed.
|
|
|
|
A typical listener for a `CreateTokenResponse` looks like:
|
|
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-execute-listener]
|
|
--------------------------------------------------
|
|
<1> Called when the execution is successfully completed. The response is
|
|
provided as an argument
|
|
<2> Called in case of failure. The raised exception is provided as an argument
|