[8.x] Deprecated authRequired in favor of security.authc.enabled (#202414) (#203531)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Deprecated authRequired in favor of security.authc.enabled
(#202414)](https://github.com/elastic/kibana/pull/202414)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Elena
Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-10T10:24:41Z","message":"Deprecated
authRequired in favor of security.authc.enabled (#202414)\n\n##
Summary\r\n\r\nDeprecated `authRequired` in favor of
`security.authc.enabled`.\r\n\r\n\r\n### Checklist\r\n\r\n-
[x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n__Closes:
https://github.com/elastic/kibana/issues/191711__\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"4feed672e3c890214213c95033729334310fedf6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","Feature:Security/Authentication","release_note:skip","v9.0.0","backport:prev-minor"],"title":"Deprecated
authRequired in favor of
security.authc.enabled","number":202414,"url":"https://github.com/elastic/kibana/pull/202414","mergeCommit":{"message":"Deprecated
authRequired in favor of security.authc.enabled (#202414)\n\n##
Summary\r\n\r\nDeprecated `authRequired` in favor of
`security.authc.enabled`.\r\n\r\n\r\n### Checklist\r\n\r\n-
[x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n__Closes:
https://github.com/elastic/kibana/issues/191711__\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"4feed672e3c890214213c95033729334310fedf6"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202414","number":202414,"mergeCommit":{"message":"Deprecated
authRequired in favor of security.authc.enabled (#202414)\n\n##
Summary\r\n\r\nDeprecated `authRequired` in favor of
`security.authc.enabled`.\r\n\r\n\r\n### Checklist\r\n\r\n-
[x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n__Closes:
https://github.com/elastic/kibana/issues/191711__\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"4feed672e3c890214213c95033729334310fedf6"}}]}]
BACKPORT-->

Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>

dev_docs/tutorials/endpoints.mdx

@@ -368,7 +368,7 @@ export class MyPlugin implements Plugin {
 By default, when security is enabled, endpoints require the user to be authenticated to be accessed,
 and will return a `401 - Unauthorized` otherwise.
 
-It is possible to disable this requirement using the `authRequired` option of the route.
+It is possible to disable this requirement using the `security.authc.enabled` option of the route.
 
 ```ts
 import type { CoreSetup, Plugin } from '@kbn/core/server';
@@ -380,8 +380,11 @@ export class MyPlugin implements Plugin {
       {
         path: '/api/my_plugin/get_object',
         validate: false,
-        options: {
-          authRequired: false,
+        security: {
+          authc: {
+            enabled: false,
+            reason: 'This endpoint does not require authentication',
+          },
         },
       },
       async (context, request, response) => {
@@ -394,7 +397,7 @@ export class MyPlugin implements Plugin {
 }
 ```
 
-Note that in addition to `true` and `false`, `authRequired` accepts a third value, `'optional'`. When used,
+Note that in addition to `true` and `false`, `security.authc.enabled` accepts a third value, `'optional'`. When used,
 Kibana will try to authenticate the user but will allow access to the endpoint regardless of the result. In that
 case, the developer needs to manually checks if the user is authenticated via `request.auth.isAuthenticated`.
 
@@ -416,8 +419,11 @@ export class MyPlugin implements Plugin {
       {
         path: '/api/my_plugin/get_object',
         validate: false,
-        options: {
-          authRequired: false,
+        security: {
+          authc: {
+            enabled: false,
+            reason: 'This endpoint does not require authentication',
+          },
         },
       },
       async (context, request, response) => {

legacy_rfcs/text/0005_route_handler.md

@@ -45,7 +45,6 @@ interface KibanaRequest {
     path: string;
     method: 'get' | 'post' | ...
     options: {
-      authRequired: boolean;
       tags: string [];
     }
   }

packages/core/http/core-http-server/src/router/route.ts

@@ -291,6 +291,8 @@ export interface RouteConfigOptions<Method extends RouteMethod> {
    *               Can be useful when we grant access to a resource but want to identify a user if possible.
    *
    * Defaults to `true` if an auth mechanism is registered.
+   *
+   * @deprecated Use `security.authc.enabled` instead
    */
   authRequired?: boolean | 'optional';