[EARS] Fix OAuth "Cancel authorization" to delete pending server-side state (#270224)

## Summary

When a user clicked "Cancel authorization" during an OAuth connector
flow, the UI reset correctly but the server-side `oauth_state` saved
object was left behind. If the OAuth provider tab was still open and the
user completed authorization there, the callback would succeed and the
connector would silently become connected — even though the user had
already cancelled. The orphan state would otherwise be reaped by the
10-minute TTL and the periodic cleanup task, but the window was real.

This PR makes cancel actually cancel by deleting the pending state
server-side:

- Adds `POST /internal/actions/connector/{connectorId}/_oauth_cancel` —
looks up the `oauth_state` saved object by the `state` value, verifies
ownership via `profile_uid`, and deletes it. Returns 204 (idempotent:
deleted and not-found both succeed), 403 if the state was created by a
different user.
- Adds `OAuthStateClient.deleteByState(stateParam, profileUid)` with
explicit ownership handling, including the case where `createdBy` is
absent (treated as forbidden).
- Wires `cancelConnect()` in `useConnectorOAuthConnect` to call the new
endpoint as a fire-and-forget: UI state resets synchronously;
server-side cancel is best-effort cleanup.
- Adds `state` to `StartOAuthFlowResponse` so the hook can pass the
exact state string to the cancel endpoint.

Closes elastic/search-team#14488


### Proof


https://github.com/user-attachments/assets/2dad9f8d-0911-4e6e-b4d8-9c811f0474ff


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

### Identify risks

- **Race condition (low):** A user could complete the OAuth flow in the
provider tab between clicking Cancel and the server processing the
cancel request. This is acceptable — cancel is best-effort and the
existing 10-minute TTL provides a backstop. The UI already shows
"disconnected" by the time any race could matter.
- **Ownership check on legacy states:** `oauth_state` objects without a
`createdBy` field (e.g. created before this change) cannot be cancelled
and return 403. This is intentional — without ownership data we cannot
verify the requester's right to cancel.
- **No breaking changes:** The new endpoint uses `access: 'internal'`.
The `state` field added to `StartOAuthFlowResponse` is additive and
backward compatible.

### Release note
Fixes a bug where cancelling an in-progress OAuth connector
authorization flow left the pending server-side state intact, allowing
the authorization to complete silently if the provider tab remained
open.

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: tara-elastic

x-pack/platform/packages/shared/response-ops/oauth-hooks/hooks/use_connector_oauth_connect.test.ts

@@ -182,17 +182,189 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
 
       act(() => {
-        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' });
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'abc-state' });
       });
 
       expect(window.open).toHaveBeenCalledWith('https://oauth.provider/auth', '_blank', 'noopener');
       expect(result.current.isAwaitingCallback).toBe(true);
     });
   });
 
+  describe('cancelConnect', () => {
+    const triggerMutationSuccess = (state = 'pending-state') => {
+      const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
+        authorizationUrl: string;
+        state: string;
+      }) => void;
+      act(() => {
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state });
+      });
+    };
+
+    it('resets isAwaitingCallback synchronously', () => {
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+        })
+      );
+
+      triggerMutationSuccess();
+      expect(result.current.isAwaitingCallback).toBe(true);
+
+      act(() => result.current.cancelConnect());
+
+      expect(result.current.isAwaitingCallback).toBe(false);
+    });
+
+    it('posts to the cancel endpoint when a pending state exists', () => {
+      mockHttpPost.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+        })
+      );
+
+      triggerMutationSuccess('my-oauth-state');
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).toHaveBeenCalledWith(
+        '/internal/actions/connector/conn-1/_oauth_cancel',
+        { body: JSON.stringify({ state: 'my-oauth-state' }) }
+      );
+    });
+
+    it('does not post to the cancel endpoint when no state has been captured', () => {
+      mockHttpPost.mockClear();
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+        })
+      );
+
+      // Cancel before any flow has started
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).not.toHaveBeenCalled();
+    });
+
+    it('encodes connectorId in the cancel URL', () => {
+      mockHttpPost.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'id/with special&chars',
+          redirectMode: OAuthRedirectMode.NewTab,
+        })
+      );
+
+      triggerMutationSuccess('some-state');
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).toHaveBeenCalledWith(
+        expect.stringContaining(encodeURIComponent('id/with special&chars')),
+        expect.anything()
+      );
+    });
+
+    it('clears the pending state so a second cancel does not re-post', () => {
+      mockHttpPost.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+        })
+      );
+
+      triggerMutationSuccess('my-oauth-state');
+      act(() => result.current.cancelConnect());
+      mockHttpPost.mockClear();
+
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).not.toHaveBeenCalled();
+    });
+
+    it('clears the pending state after a successful broadcast', () => {
+      mockHttpPost.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+          onSuccess: jest.fn(),
+        })
+      );
+
+      triggerMutationSuccess('my-state');
+
+      const channel = MockBroadcastChannel.instances.find(
+        (c) => c.name === OAUTH_BROADCAST_CHANNEL_NAME
+      )!;
+      act(() => {
+        channel.onmessage!({
+          data: { connectorId: 'conn-1', status: OAuthAuthorizationStatus.Success },
+        } as MessageEvent);
+      });
+
+      mockHttpPost.mockClear();
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).not.toHaveBeenCalled();
+    });
+
+    it('clears the pending state after the timeout fires', () => {
+      mockHttpPost.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+          timeout: 5000,
+          onError: jest.fn(),
+        })
+      );
+
+      triggerMutationSuccess('my-state');
+      act(() => jest.advanceTimersByTime(5000));
+      mockHttpPost.mockClear();
+
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).not.toHaveBeenCalled();
+    });
+
+    it('clears the pending state when connect is called for a new flow', () => {
+      mockHttpPost.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() =>
+        useConnectorOAuthConnect({
+          connectorId: 'conn-1',
+          redirectMode: OAuthRedirectMode.NewTab,
+        })
+      );
+
+      triggerMutationSuccess('old-state');
+
+      // Start a new flow
+      act(() => result.current.connect());
+      mockHttpPost.mockClear();
+
+      act(() => result.current.cancelConnect());
+
+      expect(mockHttpPost).not.toHaveBeenCalled();
+    });
+  });
+
   describe('NewTab mode - BroadcastChannel', () => {
     it('invokes onSuccess when receiving a success message for the matching connectorId', () => {
       const onSuccess = jest.fn();
@@ -206,8 +378,11 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
-      act(() => onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' }));
+      act(() =>
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'test-state' })
+      );
 
       const channel = MockBroadcastChannel.instances.find(
         (c) => c.name === OAUTH_BROADCAST_CHANNEL_NAME
@@ -236,8 +411,11 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
-      act(() => onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' }));
+      act(() =>
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'test-state' })
+      );
 
       const channel = MockBroadcastChannel.instances.find(
         (c) => c.name === OAUTH_BROADCAST_CHANNEL_NAME
@@ -265,8 +443,11 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
-      act(() => onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' }));
+      act(() =>
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'test-state' })
+      );
 
       const channel = MockBroadcastChannel.instances.find(
         (c) => c.name === OAUTH_BROADCAST_CHANNEL_NAME
@@ -300,8 +481,11 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
-      act(() => onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' }));
+      act(() =>
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'test-state' })
+      );
 
       act(() => jest.advanceTimersByTime(5000));
 
@@ -325,8 +509,11 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
-      act(() => onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' }));
+      act(() =>
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'test-state' })
+      );
 
       const channel = MockBroadcastChannel.instances.find(
         (c) => c.name === OAUTH_BROADCAST_CHANNEL_NAME
@@ -356,10 +543,11 @@ describe('useConnectorOAuthConnect', () => {
 
       const onMutationSuccess = capturedMutationOptions.onSuccess as (data: {
         authorizationUrl: string;
+        state: string;
       }) => void;
 
       act(() => {
-        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth' });
+        onMutationSuccess({ authorizationUrl: 'https://oauth.provider/auth', state: 'test-state' });
       });
 
       expect(window.location.assign).toHaveBeenCalledWith('https://oauth.provider/auth');

x-pack/platform/packages/shared/response-ops/oauth-hooks/hooks/use_connector_oauth_connect.ts

@@ -89,6 +89,7 @@ export const useConnectorOAuthConnect = ({
   onErrorRef.current = onError;
 
   const [isAwaitingCallback, setIsAwaitingCallback] = useState(false);
+  const pendingStateRef = useRef<string | undefined>();
 
   const handleAuthRedirect = useCallback(
     (authorizationUrl: string) => {
@@ -110,13 +111,14 @@ export const useConnectorOAuthConnect = ({
     StartOAuthFlowRequestBody
   >({
     mutationFn: (request) =>
-      http.post<{ authorizationUrl: string }>(
+      http.post<StartOAuthFlowResponse>(
         `${INTERNAL_BASE_ACTION_API_PATH}/connector/${encodeURIComponent(
           connectorId
         )}/_start_oauth_flow`,
         { body: JSON.stringify({ returnUrl: request.returnUrl }) }
       ),
-    onSuccess: ({ authorizationUrl }) => {
+    onSuccess: ({ authorizationUrl, state }) => {
+      pendingStateRef.current = state;
       setIsAwaitingCallback(true);
       handleAuthRedirect(authorizationUrl);
     },
@@ -126,6 +128,7 @@ export const useConnectorOAuthConnect = ({
   });
 
   const connect = useCallback(() => {
+    pendingStateRef.current = undefined;
     setIsAwaitingCallback(false);
     let resolvedReturnUrl: string | undefined;
     if (returnUrl) {
@@ -139,8 +142,21 @@ export const useConnectorOAuthConnect = ({
   }, [startOAuthFlow, redirectMode, returnUrl]);
 
   const cancelConnect = useCallback(() => {
+    const state = pendingStateRef.current;
+    pendingStateRef.current = undefined;
     setIsAwaitingCallback(false);
-  }, []);
+    if (state) {
+      // Fire-and-forget: best-effort server cancel; UI state is already reset above.
+      http
+        .post(
+          `${INTERNAL_BASE_ACTION_API_PATH}/connector/${encodeURIComponent(
+            connectorId
+          )}/_oauth_cancel`,
+          { body: JSON.stringify({ state }) }
+        )
+        .catch(() => {});
+    }
+  }, [http, connectorId]);
 
   // Handle OAuth callback timeout
   useEffect(() => {
@@ -149,6 +165,7 @@ export const useConnectorOAuthConnect = ({
     }
 
     const callbackTimeout = setTimeout(() => {
+      pendingStateRef.current = undefined;
       setIsAwaitingCallback(false);
       onErrorRef.current?.(
         new Error(
@@ -173,6 +190,7 @@ export const useConnectorOAuthConnect = ({
       if (event.data.connectorId !== connectorId) {
         return;
       }
+      pendingStateRef.current = undefined;
       if (event.data.status === OAuthAuthorizationStatus.Success) {
         onSuccessRef.current?.();
       } else {

x-pack/platform/plugins/shared/actions/common/index.ts

@@ -96,6 +96,8 @@ export type {
   StartOAuthFlowPathParams,
   StartOAuthFlowResponse,
   DisconnectOAuthPathParams,
+  CancelOAuthPathParams,
+  CancelOAuthBody,
 } from './routes/connector/apis/oauth';
 export {
   OAuthAuthorizationStatus,

x-pack/platform/plugins/shared/actions/common/routes/connector/apis/oauth/index.ts

@@ -9,11 +9,15 @@ export {
   startOAuthFlowRequestBodySchema,
   startOAuthFlowPathParamsSchema,
   disconnectOAuthPathParamsSchema,
+  cancelOAuthPathParamsSchema,
+  cancelOAuthBodySchema,
 } from './schemas/latest';
 
 export type {
   StartOAuthFlowRequestBody,
   StartOAuthFlowPathParams,
   StartOAuthFlowResponse,
   DisconnectOAuthPathParams,
+  CancelOAuthPathParams,
+  CancelOAuthBody,
 } from './types/latest';

x-pack/platform/plugins/shared/actions/common/routes/connector/apis/oauth/schemas/latest.ts

@@ -9,4 +9,6 @@ export {
   startOAuthFlowRequestBodySchema,
   startOAuthFlowPathParamsSchema,
   disconnectOAuthPathParamsSchema,
+  cancelOAuthPathParamsSchema,
+  cancelOAuthBodySchema,
 } from './v1';

x-pack/platform/plugins/shared/actions/common/routes/connector/apis/oauth/schemas/v1.ts

@@ -18,3 +18,11 @@ export const startOAuthFlowPathParamsSchema = schema.object({
 export const disconnectOAuthPathParamsSchema = schema.object({
   connectorId: schema.string(),
 });
+
+export const cancelOAuthPathParamsSchema = schema.object({
+  connectorId: schema.string(),
+});
+
+export const cancelOAuthBodySchema = schema.object({
+  state: schema.string(),
+});