Class TransportDelegatePkiAuthenticationAction


public final class TransportDelegatePkiAuthenticationAction extends HandledTransportAction<DelegatePkiAuthenticationRequest,DelegatePkiAuthenticationResponse>
Implements the exchange of an X509Certificate chain into an access token. The certificate chain is represented as an array where the first element is the target certificate containing the subject distinguished name that is requesting access. This may be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The certificate chain is validated according to RFC 5280, by sequentially considering the trust configuration of every installed PkiRealm that has PkiRealmSettings#DELEGATION_ENABLED_SETTING set to true (default is false). A successfully trusted target certificate is also subject to the validation of the subject distinguished name according to that respective's realm PkiRealmSettings#USERNAME_PATTERN_SETTING. IMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated. This is part of the TLS authentication process and it is delegated to the proxy calling this API. The proxy is trusted to have performed the TLS authentication, and this API translates that authentication into an Elasticsearch access token.