Add OIDC logout specification

Author: lcawl

specification/security/oidc_authenticate/Request.ts

@@ -23,7 +23,7 @@ import { RequestBase } from '@_types/Base'
  * Authenticate OpenID Connect.
  * Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication.
  *
- * Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs.
+ * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.
  * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.
  * @rest_spec_name security.oidc_authenticate
  * @availability stack stability=stable visibility=public

specification/security/oidc_authenticate/Response.ts

@@ -21,9 +21,21 @@ import { integer } from '@_types/Numeric'
 
 export class Response {
   body: {
+    /**
+     * The Elasticsearch access token.
+     */
     access_token: string
+    /**
+     * The duration (in seconds) of the tokens.
+     */
     expires_in: integer
+    /**
+     * The Elasticsearch refresh token.
+     */
     refresh_token: string
+    /**
+     * The type of token.
+     */
     type: string
   }
 }

specification/security/oidc_logout/Request.ts

@@ -0,0 +1,44 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { RequestBase } from '@_types/Base'
+
+/**
+ * Logout of OpenID Connect.
+ * Invalidate an access token and a refresh token that were generated as a response to the `/_security/oidc/authenticate` API.
+ *
+ * If the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.
+ *
+ * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.
+ * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.
+ * @rest_spec_name security.oidc_logout
+ * @availability stack stability=stable visibility=public
+ */
+export interface Request extends RequestBase {
+  body: {
+    /**
+     * The access token to be invalidated.
+     */
+    access_token: string
+    /**
+     * The refresh token to be invalidated.
+     */
+    refresh_token?: string
+  }
+}

specification/security/oidc_logout/Response.ts

@@ -0,0 +1,27 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+export class Response {
+  body: {
+    /**
+     * A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters.
+     */
+    redirect: string
+  }
+}

specification/security/oidc_prepare_authentication/Request.ts

@@ -25,7 +25,8 @@ import { RequestBase } from '@_types/Base'
  *
  * The response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process.
  *
- * Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.
+ * Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs.
+ * These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.
  * @rest_spec_name security.oidc_prepare_authentication
  * @availability stack stability=stable visibility=public
  */

specification/security/oidc_prepare_authentication/Response.ts

@@ -21,6 +21,9 @@ export class Response {
   body: {
     nonce: string
     realm: string
+    /**
+     * A URI that points to the authorization endpoint of the OpenID Connect Provider with all the parameters of the authentication request as HTTP GET parameters.
+     */
     redirect: string
     state: string
   }