From 8d77cd49996281e746a0a7138c7624867c047053 Mon Sep 17 00:00:00 2001
From: Jeramy Soucy <jeramy.soucy@elastic.co>
Date: Wed, 16 Oct 2024 15:11:25 +0200
Subject: [PATCH] Sets explicit access for public platform security endpoints
 (#195099)

Related issue: #189833

## Summary

This PR explicitly sets the access level for platform security HTTP API
endpoints. This is to address restriction of internal endpoints in v9.
For details, see https://github.com/elastic/kibana/issues/189833.

Additionally, this PR sets the `excludeFromOAS` option where applicable,
in order to refrain from generating documentation for endpoints which
are public but should either remain undocumented, or should be
documented as part of a specific topic (e.g. external authentication
flow).

Note: the invalidate sessions API has been changed to internal in
serverless

Endpoints excluded from OAS:
- GET /api/security/logout
- GET /api/security/v1/logout
- /api/security/oidc/implicit
- /api/security/v1/oidc/implicit
- /internal/security/oidc/implicit.js
- GET /api/security/oidc/callback
- GET /api/security/v1/oidc
- POST /api/security/oidc/initiate_login
- POST /api/security/v1/oidc
- GET /api/security/oidc/initiate_login
- POST /api/security/saml/callback
- /internal/security/reset_session_page.js
- /security/access_agreement
- /security/account
- /internal/security/capture-url
- /security/logged_out
- /login
- /logout
- /security/overwritten_session
- /spaces/space_selector
---
 .../server/routes/index.mock.ts               |  4 +-
 .../server/routes/key_rotation.test.ts        | 20 ++++++++
 .../server/routes/key_rotation.ts             |  2 +-
 .../routes/authentication/common.test.ts      |  3 +-
 .../server/routes/authentication/common.ts    |  6 ++-
 .../server/routes/authentication/oidc.ts      | 15 ++++--
 .../server/routes/authentication/saml.test.ts |  1 +
 .../server/routes/authentication/saml.ts      |  1 +
 .../routes/authorization/privileges/get.ts    |  1 +
 .../authorization/reset_session_page.ts       |  2 +-
 .../server/routes/session_management/index.ts |  9 +---
 .../routes/session_management/invalidate.ts   | 13 ++++-
 .../routes/views/access_agreement.test.ts     |  2 +-
 .../server/routes/views/access_agreement.ts   |  2 +-
 .../server/routes/views/account_management.ts |  5 +-
 .../server/routes/views/capture_url.test.ts   |  2 +-
 .../server/routes/views/capture_url.ts        |  2 +-
 .../server/routes/views/logged_out.test.ts    |  2 +-
 .../server/routes/views/logged_out.ts         |  2 +-
 .../server/routes/views/login.test.ts         |  2 +-
 .../security/server/routes/views/login.ts     |  2 +-
 .../security/server/routes/views/logout.ts    |  2 +-
 .../routes/views/overwritten_session.ts       |  2 +-
 .../spaces/server/routes/views/index.test.ts  |  2 +-
 .../spaces/server/routes/views/index.ts       |  3 +-
 .../common/platform_security/sessions.ts      | 50 +++++++++++++++----
 26 files changed, 112 insertions(+), 45 deletions(-)

diff --git a/x-pack/plugins/encrypted_saved_objects/server/routes/index.mock.ts b/x-pack/plugins/encrypted_saved_objects/server/routes/index.mock.ts
index 4d453f64b6954..4f486d3337632 100644
--- a/x-pack/plugins/encrypted_saved_objects/server/routes/index.mock.ts
+++ b/x-pack/plugins/encrypted_saved_objects/server/routes/index.mock.ts
@@ -13,11 +13,11 @@ import { ConfigSchema } from '../config';
 import { encryptionKeyRotationServiceMock } from '../crypto/index.mock';
 
 export const routeDefinitionParamsMock = {
-  create: (config: Record<string, unknown> = {}) => ({
+  create: (config: Record<string, unknown> = {}, buildFlavor: BuildFlavor = 'traditional') => ({
     router: httpServiceMock.createRouter(),
     logger: loggingSystemMock.create().get(),
     config: ConfigSchema.validate(config) as ConfigType,
     encryptionKeyRotationService: encryptionKeyRotationServiceMock.create(),
-    buildFlavor: 'traditional' as BuildFlavor,
+    buildFlavor,
   }),
 };
diff --git a/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.test.ts b/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.test.ts
index 9b9dba6108ff3..f387e94e80990 100644
--- a/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.test.ts
+++ b/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.test.ts
@@ -44,6 +44,7 @@ describe('Key rotation routes', () => {
 
     it('correctly defines route.', () => {
       expect(routeConfig.options).toEqual({
+        access: 'public',
         tags: ['access:rotateEncryptionKey', 'oas-tag:saved objects'],
         summary: `Rotate a key for encrypted saved objects`,
         description: `If a saved object cannot be decrypted using the primary encryption key, Kibana attempts to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
@@ -83,6 +84,25 @@ describe('Key rotation routes', () => {
       );
     });
 
+    it('defines route as internal when build flavor is serverless', () => {
+      const routeParamsMock = routeDefinitionParamsMock.create(
+        { keyRotation: { decryptionOnlyKeys: ['b'.repeat(32)] } },
+        'serverless'
+      );
+      defineKeyRotationRoutes(routeParamsMock);
+      const [config] = routeParamsMock.router.post.mock.calls.find(
+        ([{ path }]) => path === '/api/encrypted_saved_objects/_rotate_key'
+      )!;
+
+      expect(config.options).toEqual({
+        access: 'internal',
+        tags: ['access:rotateEncryptionKey', 'oas-tag:saved objects'],
+        summary: `Rotate a key for encrypted saved objects`,
+        description: `If a saved object cannot be decrypted using the primary encryption key, Kibana attempts to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
+        NOTE: Bulk key rotation can consume a considerable amount of resources and hence only user with a superuser role can trigger it.`,
+      });
+    });
+
     it('returns 400 if decryption only keys are not specified.', async () => {
       const routeParamsMock = routeDefinitionParamsMock.create();
       defineKeyRotationRoutes(routeParamsMock);
diff --git a/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.ts b/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.ts
index 80907497010da..272e74c3a69cb 100644
--- a/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.ts
+++ b/x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.ts
@@ -41,7 +41,7 @@ export function defineKeyRotationRoutes({
       },
       options: {
         tags: ['access:rotateEncryptionKey', 'oas-tag:saved objects'],
-        access: buildFlavor === 'serverless' ? 'internal' : undefined,
+        access: buildFlavor === 'serverless' ? 'internal' : 'public',
         summary: `Rotate a key for encrypted saved objects`,
         description: `If a saved object cannot be decrypted using the primary encryption key, Kibana attempts to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
         NOTE: Bulk key rotation can consume a considerable amount of resources and hence only user with a superuser role can trigger it.`,
diff --git a/x-pack/plugins/security/server/routes/authentication/common.test.ts b/x-pack/plugins/security/server/routes/authentication/common.test.ts
index c494389eb7c13..0fd2c54a1e6ca 100644
--- a/x-pack/plugins/security/server/routes/authentication/common.test.ts
+++ b/x-pack/plugins/security/server/routes/authentication/common.test.ts
@@ -69,6 +69,7 @@ describe('Common authentication routes', () => {
         access: 'public',
         authRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
+        excludeFromOAS: true,
       });
       expect(routeConfig.validate).toEqual({
         body: undefined,
@@ -170,7 +171,7 @@ describe('Common authentication routes', () => {
     });
 
     it('correctly defines route.', async () => {
-      expect(routeConfig.options).toBeUndefined();
+      expect(routeConfig.options).toEqual({ access: 'internal' });
       expect(routeConfig.validate).toBe(false);
     });
 
diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts
index e54d6e35f1669..b519171fd4fe6 100644
--- a/x-pack/plugins/security/server/routes/authentication/common.ts
+++ b/x-pack/plugins/security/server/routes/authentication/common.ts
@@ -48,6 +48,7 @@ export function defineCommonRoutes({
         validate: { query: schema.object({}, { unknowns: 'allow' }) },
         options: {
           access: 'public',
+          excludeFromOAS: true,
           authRequired: false,
           tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
         },
@@ -89,10 +90,11 @@ export function defineCommonRoutes({
     '/internal/security/me',
     ...(buildFlavor !== 'serverless' ? ['/api/security/v1/me'] : []),
   ]) {
+    const deprecated = path === '/api/security/v1/me';
     router.get(
-      { path, validate: false },
+      { path, validate: false, options: { access: deprecated ? 'public' : 'internal' } },
       createLicensedRouteHandler(async (context, request, response) => {
-        if (path === '/api/security/v1/me') {
+        if (deprecated) {
           logger.warn(
             `The "${basePath.serverBasePath}${path}" endpoint is deprecated and will be removed in the next major version.`,
             { tags: ['deprecation'] }
diff --git a/x-pack/plugins/security/server/routes/authentication/oidc.ts b/x-pack/plugins/security/server/routes/authentication/oidc.ts
index 2c4ab9de1491b..69c3ce1700671 100644
--- a/x-pack/plugins/security/server/routes/authentication/oidc.ts
+++ b/x-pack/plugins/security/server/routes/authentication/oidc.ts
@@ -37,7 +37,7 @@ export function defineOIDCRoutes({
       {
         path,
         validate: false,
-        options: { authRequired: false },
+        options: { authRequired: false, excludeFromOAS: true },
       },
       (context, request, response) => {
         const serverBasePath = basePath.serverBasePath;
@@ -68,7 +68,7 @@ export function defineOIDCRoutes({
     {
       path: '/internal/security/oidc/implicit.js',
       validate: false,
-      options: { authRequired: false },
+      options: { authRequired: false, excludeFromOAS: true },
     },
     (context, request, response) => {
       const serverBasePath = basePath.serverBasePath;
@@ -106,7 +106,12 @@ export function defineOIDCRoutes({
             { unknowns: 'allow' }
           ),
         },
-        options: { authRequired: false, tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW] },
+        options: {
+          access: 'public',
+          excludeFromOAS: true,
+          authRequired: false,
+          tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
+        },
       },
       createLicensedRouteHandler(async (context, request, response) => {
         const serverBasePath = basePath.serverBasePath;
@@ -184,6 +189,8 @@ export function defineOIDCRoutes({
           ),
         },
         options: {
+          access: 'public',
+          excludeFromOAS: true,
           authRequired: false,
           xsrfRequired: false,
           tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
@@ -227,6 +234,8 @@ export function defineOIDCRoutes({
         ),
       },
       options: {
+        access: 'public',
+        excludeFromOAS: true,
         authRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
       },
diff --git a/x-pack/plugins/security/server/routes/authentication/saml.test.ts b/x-pack/plugins/security/server/routes/authentication/saml.test.ts
index e952d98a38649..f693d20354e89 100644
--- a/x-pack/plugins/security/server/routes/authentication/saml.test.ts
+++ b/x-pack/plugins/security/server/routes/authentication/saml.test.ts
@@ -56,6 +56,7 @@ describe('SAML authentication routes', () => {
       expect(routeConfig.options).toEqual({
         access: 'public',
         authRequired: false,
+        excludeFromOAS: true,
         xsrfRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
       });
diff --git a/x-pack/plugins/security/server/routes/authentication/saml.ts b/x-pack/plugins/security/server/routes/authentication/saml.ts
index ddc31fbc88b89..3c72fd908e6c4 100644
--- a/x-pack/plugins/security/server/routes/authentication/saml.ts
+++ b/x-pack/plugins/security/server/routes/authentication/saml.ts
@@ -38,6 +38,7 @@ export function defineSAMLRoutes({
         },
         options: {
           access: 'public',
+          excludeFromOAS: true,
           authRequired: false,
           xsrfRequired: false,
           tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
diff --git a/x-pack/plugins/security/server/routes/authorization/privileges/get.ts b/x-pack/plugins/security/server/routes/authorization/privileges/get.ts
index 1d278aa676ac3..b7204faaa7ca4 100644
--- a/x-pack/plugins/security/server/routes/authorization/privileges/get.ts
+++ b/x-pack/plugins/security/server/routes/authorization/privileges/get.ts
@@ -26,6 +26,7 @@ export function defineGetPrivilegesRoutes({ router, authz }: RouteDefinitionPara
           ),
         }),
       },
+      options: { access: 'public' },
     },
     createLicensedRouteHandler((context, request, response) => {
       const respectLicenseLevel = request.query.respectLicenseLevel !== 'false'; // if undefined resolve to true by default
diff --git a/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts b/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts
index 67254735b9a16..0af24ad8d8397 100644
--- a/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts
+++ b/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts
@@ -12,7 +12,7 @@ export function resetSessionPageRoutes({ httpResources }: RouteDefinitionParams)
     {
       path: '/internal/security/reset_session_page.js',
       validate: false,
-      options: { authRequired: false },
+      options: { authRequired: false, excludeFromOAS: true },
     },
     (context, request, response) => {
       return response.renderJs({
diff --git a/x-pack/plugins/security/server/routes/session_management/index.ts b/x-pack/plugins/security/server/routes/session_management/index.ts
index c095a77409975..041feea8a62fd 100644
--- a/x-pack/plugins/security/server/routes/session_management/index.ts
+++ b/x-pack/plugins/security/server/routes/session_management/index.ts
@@ -13,12 +13,5 @@ import type { RouteDefinitionParams } from '..';
 export function defineSessionManagementRoutes(params: RouteDefinitionParams) {
   defineSessionInfoRoutes(params);
   defineSessionExtendRoutes(params);
-
-  // The invalidate session API was introduced to address situations where the session index
-  // could grow rapidly - when session timeouts are disabled, or with anonymous access.
-  // In the serverless environment, sessions timeouts are always be enabled, and there is no
-  // anonymous access. This eliminates the need for an invalidate session HTTP API.
-  if (params.buildFlavor !== 'serverless') {
-    defineInvalidateSessionsRoutes(params);
-  }
+  defineInvalidateSessionsRoutes(params);
 }
diff --git a/x-pack/plugins/security/server/routes/session_management/invalidate.ts b/x-pack/plugins/security/server/routes/session_management/invalidate.ts
index c7d27b835edf2..a45d8f00c1ca4 100644
--- a/x-pack/plugins/security/server/routes/session_management/invalidate.ts
+++ b/x-pack/plugins/security/server/routes/session_management/invalidate.ts
@@ -12,7 +12,11 @@ import type { RouteDefinitionParams } from '..';
 /**
  * Defines routes required for session invalidation.
  */
-export function defineInvalidateSessionsRoutes({ router, getSession }: RouteDefinitionParams) {
+export function defineInvalidateSessionsRoutes({
+  router,
+  getSession,
+  buildFlavor,
+}: RouteDefinitionParams) {
   router.post(
     {
       path: '/api/security/session/_invalidate',
@@ -34,7 +38,12 @@ export function defineInvalidateSessionsRoutes({ router, getSession }: RouteDefi
         }),
       },
       options: {
-        access: 'public',
+        // The invalidate session API was introduced to address situations where the session index
+        // could grow rapidly - when session timeouts are disabled, or with anonymous access.
+        // In the serverless environment, sessions timeouts are always be enabled, and there is no
+        // anonymous access. However, keeping this endpoint available internally in serverless would
+        // be useful in situations where we need to batch-invalidate user sessions.
+        access: buildFlavor === 'serverless' ? 'internal' : 'public',
         tags: ['access:sessionManagement'],
         summary: `Invalidate user sessions`,
       },
diff --git a/x-pack/plugins/security/server/routes/views/access_agreement.test.ts b/x-pack/plugins/security/server/routes/views/access_agreement.test.ts
index ef588ae1cfcfc..74eee1e129e2c 100644
--- a/x-pack/plugins/security/server/routes/views/access_agreement.test.ts
+++ b/x-pack/plugins/security/server/routes/views/access_agreement.test.ts
@@ -71,7 +71,7 @@ describe('Access agreement view routes', () => {
     });
 
     it('correctly defines route.', () => {
-      expect(routeConfig.options).toBeUndefined();
+      expect(routeConfig.options).toEqual({ excludeFromOAS: true });
       expect(routeConfig.validate).toBe(false);
     });
 
diff --git a/x-pack/plugins/security/server/routes/views/access_agreement.ts b/x-pack/plugins/security/server/routes/views/access_agreement.ts
index 3724892edd6df..823fbb0286f33 100644
--- a/x-pack/plugins/security/server/routes/views/access_agreement.ts
+++ b/x-pack/plugins/security/server/routes/views/access_agreement.ts
@@ -24,7 +24,7 @@ export function defineAccessAgreementRoutes({
   const canHandleRequest = () => license.getFeatures().allowAccessAgreement;
 
   httpResources.register(
-    { path: '/security/access_agreement', validate: false },
+    { path: '/security/access_agreement', validate: false, options: { excludeFromOAS: true } },
     createLicensedRouteHandler(async (context, request, response) =>
       canHandleRequest()
         ? response.renderCoreApp()
diff --git a/x-pack/plugins/security/server/routes/views/account_management.ts b/x-pack/plugins/security/server/routes/views/account_management.ts
index af49f325a25d2..4b3fbb78fed90 100644
--- a/x-pack/plugins/security/server/routes/views/account_management.ts
+++ b/x-pack/plugins/security/server/routes/views/account_management.ts
@@ -11,7 +11,8 @@ import type { RouteDefinitionParams } from '..';
  * Defines routes required for the Account Management view.
  */
 export function defineAccountManagementRoutes({ httpResources }: RouteDefinitionParams) {
-  httpResources.register({ path: '/security/account', validate: false }, (context, req, res) =>
-    res.renderCoreApp()
+  httpResources.register(
+    { path: '/security/account', validate: false, options: { excludeFromOAS: true } },
+    (context, req, res) => res.renderCoreApp()
   );
 }
diff --git a/x-pack/plugins/security/server/routes/views/capture_url.test.ts b/x-pack/plugins/security/server/routes/views/capture_url.test.ts
index 1893ad6c9cb5f..4496ab341b085 100644
--- a/x-pack/plugins/security/server/routes/views/capture_url.test.ts
+++ b/x-pack/plugins/security/server/routes/views/capture_url.test.ts
@@ -34,7 +34,7 @@ describe('Capture URL view routes', () => {
   });
 
   it('correctly defines route.', () => {
-    expect(routeConfig.options).toEqual({ authRequired: false });
+    expect(routeConfig.options).toEqual({ authRequired: false, excludeFromOAS: true });
 
     expect(routeConfig.validate).toEqual({
       body: undefined,
diff --git a/x-pack/plugins/security/server/routes/views/capture_url.ts b/x-pack/plugins/security/server/routes/views/capture_url.ts
index 8eff92d78999d..394b799ca1f9d 100644
--- a/x-pack/plugins/security/server/routes/views/capture_url.ts
+++ b/x-pack/plugins/security/server/routes/views/capture_url.ts
@@ -19,7 +19,7 @@ export function defineCaptureURLRoutes({ httpResources }: RouteDefinitionParams)
       validate: {
         query: schema.object({ next: schema.maybe(schema.string()) }, { unknowns: 'ignore' }),
       },
-      options: { authRequired: false },
+      options: { authRequired: false, excludeFromOAS: true },
     },
     (context, request, response) => response.renderAnonymousCoreApp()
   );
diff --git a/x-pack/plugins/security/server/routes/views/logged_out.test.ts b/x-pack/plugins/security/server/routes/views/logged_out.test.ts
index 850a533e3d93a..9aecb39750b1b 100644
--- a/x-pack/plugins/security/server/routes/views/logged_out.test.ts
+++ b/x-pack/plugins/security/server/routes/views/logged_out.test.ts
@@ -35,7 +35,7 @@ describe('LoggedOut view routes', () => {
   });
 
   it('correctly defines route.', () => {
-    expect(routeConfig.options).toEqual({ authRequired: false });
+    expect(routeConfig.options).toEqual({ authRequired: false, excludeFromOAS: true });
     expect(routeConfig.validate).toBe(false);
   });
 
diff --git a/x-pack/plugins/security/server/routes/views/logged_out.ts b/x-pack/plugins/security/server/routes/views/logged_out.ts
index 360c0fb2c9b7c..66581f574def8 100644
--- a/x-pack/plugins/security/server/routes/views/logged_out.ts
+++ b/x-pack/plugins/security/server/routes/views/logged_out.ts
@@ -20,7 +20,7 @@ export function defineLoggedOutRoutes({
     {
       path: '/security/logged_out',
       validate: false,
-      options: { authRequired: false },
+      options: { authRequired: false, excludeFromOAS: true },
     },
     async (context, request, response) => {
       // Authentication flow isn't triggered automatically for this route, so we should explicitly
diff --git a/x-pack/plugins/security/server/routes/views/login.test.ts b/x-pack/plugins/security/server/routes/views/login.test.ts
index b19ef41ca9098..11797e20523e9 100644
--- a/x-pack/plugins/security/server/routes/views/login.test.ts
+++ b/x-pack/plugins/security/server/routes/views/login.test.ts
@@ -52,7 +52,7 @@ describe('Login view routes', () => {
     });
 
     it('correctly defines route.', () => {
-      expect(routeConfig.options).toEqual({ authRequired: 'optional' });
+      expect(routeConfig.options).toEqual({ authRequired: 'optional', excludeFromOAS: true });
 
       expect(routeConfig.validate).toEqual({
         body: undefined,
diff --git a/x-pack/plugins/security/server/routes/views/login.ts b/x-pack/plugins/security/server/routes/views/login.ts
index 5d4468fcbba57..8cf8459d523b8 100644
--- a/x-pack/plugins/security/server/routes/views/login.ts
+++ b/x-pack/plugins/security/server/routes/views/login.ts
@@ -39,7 +39,7 @@ export function defineLoginRoutes({
           { unknowns: 'allow' }
         ),
       },
-      options: { authRequired: 'optional' },
+      options: { authRequired: 'optional', excludeFromOAS: true },
     },
     async (context, request, response) => {
       // Default to true if license isn't available or it can't be resolved for some reason.
diff --git a/x-pack/plugins/security/server/routes/views/logout.ts b/x-pack/plugins/security/server/routes/views/logout.ts
index 3fb905ee10d37..d61f4e83083d2 100644
--- a/x-pack/plugins/security/server/routes/views/logout.ts
+++ b/x-pack/plugins/security/server/routes/views/logout.ts
@@ -12,7 +12,7 @@ import type { RouteDefinitionParams } from '..';
  */
 export function defineLogoutRoutes({ httpResources }: RouteDefinitionParams) {
   httpResources.register(
-    { path: '/logout', validate: false, options: { authRequired: false } },
+    { path: '/logout', validate: false, options: { authRequired: false, excludeFromOAS: true } },
     (context, request, response) => response.renderAnonymousCoreApp()
   );
 }
diff --git a/x-pack/plugins/security/server/routes/views/overwritten_session.ts b/x-pack/plugins/security/server/routes/views/overwritten_session.ts
index 115f7ea0a093f..4ab57f2cc9e72 100644
--- a/x-pack/plugins/security/server/routes/views/overwritten_session.ts
+++ b/x-pack/plugins/security/server/routes/views/overwritten_session.ts
@@ -12,7 +12,7 @@ import type { RouteDefinitionParams } from '..';
  */
 export function defineOverwrittenSessionRoutes({ httpResources }: RouteDefinitionParams) {
   httpResources.register(
-    { path: '/security/overwritten_session', validate: false },
+    { path: '/security/overwritten_session', validate: false, options: { excludeFromOAS: true } },
     (context, req, res) => res.renderCoreApp()
   );
 }
diff --git a/x-pack/plugins/spaces/server/routes/views/index.test.ts b/x-pack/plugins/spaces/server/routes/views/index.test.ts
index b87bfe86c022a..e42f2dcf42eaf 100644
--- a/x-pack/plugins/spaces/server/routes/views/index.test.ts
+++ b/x-pack/plugins/spaces/server/routes/views/index.test.ts
@@ -59,7 +59,7 @@ describe('Space Selector view routes', () => {
   });
 
   it('correctly defines route.', () => {
-    expect(routeConfig.options).toBeUndefined();
+    expect(routeConfig.options).toEqual({ excludeFromOAS: true });
     expect(routeConfig.validate).toBe(false);
   });
 
diff --git a/x-pack/plugins/spaces/server/routes/views/index.ts b/x-pack/plugins/spaces/server/routes/views/index.ts
index ab06b17374f13..f21a665e35525 100644
--- a/x-pack/plugins/spaces/server/routes/views/index.ts
+++ b/x-pack/plugins/spaces/server/routes/views/index.ts
@@ -20,7 +20,7 @@ export interface ViewRouteDeps {
 
 export function initSpacesViewsRoutes(deps: ViewRouteDeps) {
   deps.httpResources.register(
-    { path: '/spaces/space_selector', validate: false },
+    { path: '/spaces/space_selector', validate: false, options: { excludeFromOAS: true } },
     (context, request, response) => response.renderCoreApp()
   );
 
@@ -32,6 +32,7 @@ export function initSpacesViewsRoutes(deps: ViewRouteDeps) {
           schema.object({ next: schema.maybe(schema.string()) }, { unknowns: 'ignore' })
         ),
       },
+      options: { excludeFromOAS: true },
     },
     async (context, request, response) => {
       try {
diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/sessions.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/sessions.ts
index c76ccb81f8ce2..c102f502f9489 100644
--- a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/sessions.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/sessions.ts
@@ -10,7 +10,6 @@ import { SupertestWithRoleScopeType } from '@kbn/test-suites-xpack/api_integrati
 import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
-  const svlCommonApi = getService('svlCommonApi');
   const samlAuth = getService('samlAuth');
   const roleScopedSupertest = getService('roleScopedSupertest');
   let supertestViewerWithCookieCredentials: SupertestWithRoleScopeType;
@@ -26,16 +25,6 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     describe('route access', () => {
-      describe('disabled', () => {
-        it('invalidate', async () => {
-          const { body, status } = await supertestViewerWithCookieCredentials
-            .post('/api/security/session/_invalidate')
-            .set(samlAuth.getInternalRequestHeader())
-            .send({ match: 'all' });
-          svlCommonApi.assertApiNotFound(body, status);
-        });
-      });
-
       describe('internal', () => {
         it('get session info', async () => {
           let body: any;
@@ -84,6 +73,45 @@ export default function ({ getService }: FtrProviderContext) {
           // expect redirect
           expect(status).toBe(302);
         });
+
+        it('invalidate', async () => {
+          const supertestAdmin = await roleScopedSupertest.getSupertestWithRoleScope('admin', {
+            useCookieHeader: true,
+          });
+
+          let body: any;
+          let status: number;
+
+          ({ body, status } = await supertestViewerWithCookieCredentials
+            .post('/api/security/session/_invalidate')
+            .set(samlAuth.getCommonRequestHeader()));
+          // expect a rejection because we're not using the internal header
+          expect(body).toEqual({
+            statusCode: 400,
+            error: 'Bad Request',
+            message: expect.stringContaining(
+              'method [post] exists but is not available with the current configuration'
+            ),
+          });
+          expect(status).toBe(400);
+
+          ({ body, status } = await supertestViewerWithCookieCredentials
+            .post('/api/security/session/_invalidate')
+            .set(samlAuth.getInternalRequestHeader()));
+          // expect forbidden because the viewer does not have privilege to invalidate a session
+          expect(status).toBe(403);
+
+          ({ body, status } = await supertestAdmin
+            .post('/api/security/session/_invalidate')
+            .set(samlAuth.getInternalRequestHeader()));
+          // expect 400 due to no body, admin has privilege, but the request body is missing
+          expect(status).toBe(400);
+          expect(body).toEqual({
+            error: 'Bad Request',
+            message: '[request body]: expected a plain object value, but found [null] instead.',
+            statusCode: 400,
+          });
+        });
       });
     });
   });