diff --git a/x-pack/docs/build.gradle b/x-pack/docs/build.gradle index f64f70459a1..5e56414afed 100644 --- a/x-pack/docs/build.gradle +++ b/x-pack/docs/build.gradle @@ -92,6 +92,7 @@ buildRestTests.docs = fileTree(projectDir) { exclude 'build' // These file simply doesn't pass yet. We should figure out how to fix them. exclude 'en/watcher/reference/actions.asciidoc' + exclude 'en/rest-api/security/ssl.asciidoc' } Map setups = buildRestTests.setups diff --git a/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc b/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc index 4056bb81bed..13465dce6e8 100644 --- a/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc +++ b/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc @@ -22,7 +22,8 @@ can no longer be used. That time period is defined by the The refresh tokens returned by the <> are only valid for 24 hours. They can also be used exactly once. -If you want to invalidate one or more access or refresh tokens immediately, use this invalidate token API. +If you want to invalidate one or more access or refresh tokens immediately, use +this invalidate token API. ==== Request Body @@ -31,26 +32,56 @@ The following parameters can be specified in the body of a DELETE request and pertain to invalidating tokens: `token` (optional):: -(string) An access token. This parameter cannot be used any of `refresh_token`, `realm_name` or - `username` are used. +(string) An access token. This parameter cannot be used any of `refresh_token`, +`realm_name` or `username` are used. `refresh_token` (optional):: -(string) A refresh token. This parameter cannot be used any of `refresh_token`, `realm_name` or - `username` are used. +(string) A refresh token. This parameter cannot be used any of `refresh_token`, +`realm_name` or `username` are used. `realm_name` (optional):: -(string) The name of an authentication realm. This parameter cannot be used with either `refresh_token` or `token`. +(string) The name of an authentication realm. This parameter cannot be used with +either `refresh_token` or `token`. `username` (optional):: -(string) The username of a user. This parameter cannot be used with either `refresh_token` or `token` +(string) The username of a user. This parameter cannot be used with either +`refresh_token` or `token` -NOTE: While all parameters are optional, at least one of them is required. More specifically, either one of `token` -or `refresh_token` parameters is required. If none of these two are specified, then `realm_name` and/or `username` -need to be specified. +NOTE: While all parameters are optional, at least one of them is required. More +specifically, either one of `token` or `refresh_token` parameters is required. +If none of these two are specified, then `realm_name` and/or `username` need to +be specified. ==== Examples -The following example invalidates the specified token immediately: +For example, if you create a token using the `client_credentials` grant type as +follows: + +[source,js] +-------------------------------------------------- +POST /_security/oauth2/token +{ + "grant_type" : "client_credentials" +} +-------------------------------------------------- +// CONSOLE +// TEST + +The get token API returns the following information about the access token: + +[source,js] +-------------------------------------------------- +{ + "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==", + "type" : "Bearer", + "expires_in" : 1200 +} +-------------------------------------------------- +// CONSOLE +// TESTRESPONSE[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/] + +This access token can now be immediately invalidated, as shown in the following +example: [source,js] -------------------------------------------------- @@ -59,57 +90,97 @@ DELETE /_security/oauth2/token "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==" } -------------------------------------------------- -// NOTCONSOLE +// CONSOLE +// TEST[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/] +// TEST[continued] -whereas the following example invalidates the specified refresh token immediately: +If you used the `password` grant type to obtain a token for a user, the response +might also contain a refresh token. For example: + +[source,js] +-------------------------------------------------- +POST /_security/oauth2/token +{ + "grant_type" : "password", + "username" : "test_admin", + "password" : "x-pack-test-password" +} +-------------------------------------------------- +// CONSOLE +// TEST + +The get token API returns the following information: + +[source,js] +-------------------------------------------------- +{ + "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==", + "type" : "Bearer", + "expires_in" : 1200, + "refresh_token": "vLBPvmAB6KvwvJZr27cS" +} +-------------------------------------------------- +// CONSOLE +// TESTRESPONSE[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/] +// TESTRESPONSE[s/vLBPvmAB6KvwvJZr27cS/$body.refresh_token/] + +The refresh token can now also be immediately invalidated as shown +in the following example: [source,js] -------------------------------------------------- DELETE /_security/oauth2/token { - "refresh_token" : "movUJjPGRRC0PQ7+NW0eag" + "refresh_token" : "vLBPvmAB6KvwvJZr27cS" } -------------------------------------------------- -// NOTCONSOLE +// CONSOLE +// TEST[s/vLBPvmAB6KvwvJZr27cS/$body.refresh_token/] +// TEST[continued] -The following example invalidates all access tokens and refresh tokens for the `saml1` realm immediately: +The following example invalidates all access tokens and refresh tokens for the +`saml1` realm immediately: [source,js] -------------------------------------------------- -DELETE /_xpack/security/oauth2/token +DELETE /_security/oauth2/token { "realm_name" : "saml1" } -------------------------------------------------- -// NOTCONSOLE +// CONSOLE +// TEST -The following example invalidates all access tokens and refresh tokens for the user `myuser` in all realms immediately: +The following example invalidates all access tokens and refresh tokens for the +user `myuser` in all realms immediately: [source,js] -------------------------------------------------- -DELETE /_xpack/security/oauth2/token +DELETE /_security/oauth2/token { "username" : "myuser" } -------------------------------------------------- -// NOTCONSOLE +// CONSOLE +// TEST -Finally, the following example invalidates all access tokens and refresh tokens for the user `myuser` in - the `saml1` realm immediately: +Finally, the following example invalidates all access tokens and refresh tokens +for the user `myuser` in the `saml1` realm immediately: [source,js] -------------------------------------------------- -DELETE /_xpack/security/oauth2/token +DELETE /_security/oauth2/token { "username" : "myuser", "realm_name" : "saml1" } -------------------------------------------------- -// NOTCONSOLE +// CONSOLE +// TEST -A successful call returns a JSON structure that contains the number of tokens that were invalidated, the number -of tokens that had already been invalidated, and potentially a list of errors encountered while invalidating -specific tokens. +A successful call returns a JSON structure that contains the number of tokens +that were invalidated, the number of tokens that had already been invalidated, +and potentially a list of errors encountered while invalidating specific tokens. [source,js] -------------------------------------------------- diff --git a/x-pack/docs/en/rest-api/security/ssl.asciidoc b/x-pack/docs/en/rest-api/security/ssl.asciidoc index d3480ac8bc0..932bbe6014d 100644 --- a/x-pack/docs/en/rest-api/security/ssl.asciidoc +++ b/x-pack/docs/en/rest-api/security/ssl.asciidoc @@ -78,12 +78,13 @@ node of {es}: [source,js] -------------------------------------------------- -GET /_xpack/certificates +GET /_ssl/certificates -------------------------------------------------- // CONSOLE -// TEST[skip:todo] +// TEST The API returns the following results: + [source,js] ---- [ @@ -116,4 +117,4 @@ The API returns the following results: } ] ---- -// NOTCONSOLE \ No newline at end of file +// NOTCONSOLE