elastic · epixa · Dec 6, 2018 · Dec 6, 2018
diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js
@@ -236,7 +236,7 @@ describe('SAMLAuthenticationProvider', () => {
       expect(request.headers).to.not.have.property('authorization');
       expect(authenticationResult.failed()).to.be(true);
       expect(authenticationResult.error).to.be(failureReason);
-      sinon.assert.neverCalledWith(callWithRequest, 'shield.samlRefreshAccessToken');
+      sinon.assert.neverCalledWith(callWithRequest, 'shield.getAccessToken');
     });
 
     it('succeeds if token from the state is expired, but has been successfully refreshed.', async () => {
@@ -259,7 +259,7 @@ describe('SAMLAuthenticationProvider', () => {
 
       callWithInternalUser
         .withArgs(
-          'shield.samlRefreshAccessToken',
+          'shield.getAccessToken',
           { body: { grant_type: 'refresh_token', refresh_token: 'valid-refresh-token' } }
         )
         .returns(Promise.resolve({ access_token: 'new-access-token', refresh_token: 'new-refresh-token' }));
@@ -291,7 +291,7 @@ describe('SAMLAuthenticationProvider', () => {
       const refreshFailureReason = new Error('Something is wrong with refresh token.');
       callWithInternalUser
         .withArgs(
-          'shield.samlRefreshAccessToken',
+          'shield.getAccessToken',
           { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
         )
         .returns(Promise.reject(refreshFailureReason));
@@ -318,7 +318,7 @@ describe('SAMLAuthenticationProvider', () => {
 
       callWithInternalUser
         .withArgs(
-          'shield.samlRefreshAccessToken',
+          'shield.getAccessToken',
           { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
         )
         .returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
@@ -352,7 +352,7 @@ describe('SAMLAuthenticationProvider', () => {
 
       callWithInternalUser
         .withArgs(
-          'shield.samlRefreshAccessToken',
+          'shield.getAccessToken',
           { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
         )
         .returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
@@ -388,7 +388,7 @@ describe('SAMLAuthenticationProvider', () => {
 
       callWithInternalUser
         .withArgs(
-          'shield.samlRefreshAccessToken',
+          'shield.getAccessToken',
           { body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
         )
         .returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
@@ -422,7 +422,7 @@ describe('SAMLAuthenticationProvider', () => {
 
       callWithInternalUser
         .withArgs(
-          'shield.samlRefreshAccessToken',
+          'shield.getAccessToken',
           { body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
         )
         .returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/saml.js
@@ -34,7 +34,7 @@ function isAccessTokenExpiredError(err) {
 }
 
 /**
- * Checks the error returned by Elasticsearch as the result of `samlRefreshAccessToken` call and returns `true` if
+ * Checks the error returned by Elasticsearch as the result of `getAccessToken` call and returns `true` if
  * request has been rejected because of invalid refresh token (expired after 24 hours or have been used already),
  * otherwise returns `false`.
  * @param {Object} err Error returned from Elasticsearch.
@@ -269,7 +269,7 @@ export class SAMLAuthenticationProvider {
         access_token: newAccessToken,
         refresh_token: newRefreshToken
       } = await this._options.client.callWithInternalUser(
-        'shield.samlRefreshAccessToken',
+        'shield.getAccessToken',
         { body: { grant_type: 'refresh_token', refresh_token: refreshToken } }
       );
 

diff --git a/x-pack/server/lib/esjs_shield_plugin.js b/x-pack/server/lib/esjs_shield_plugin.js
@@ -360,21 +360,41 @@
     });
 
     /**
-     * Refreshes SAML access token.
+     * Refreshes an access token.
      *
      * @param {string} grant_type Currently only "refresh_token" grant type is supported.
      * @param {string} refresh_token One-time refresh token that will be exchanged to the new access/refresh token pair.
      *
      * @returns {{access_token: string, type: string, expires_in: number, refresh_token: string}}
      */
-    shield.samlRefreshAccessToken = ca({
+    shield.getAccessToken = ca({
       method: 'POST',
       needBody: true,
       url: {
         fmt: '/_xpack/security/oauth2/token'
       }
     });
 
+    /**
+     * Invalidates an access token.
+     *
+     * @param {string} token The access token to invalidate
+     *
+     * @returns {{created: boolean}}
+     */
+    shield.deleteAccessToken = ca({
+      method: 'DELETE',
+      needBody: true,
+      params: {
+        token: {
+          type: 'string'
+        }
+      },
+      url: {
+        fmt: '/_xpack/security/oauth2/token'
+      }
+    });
+
     shield.getPrivilege = ca({
       method: 'GET',
       urls: [{