Authenticate on Kibana 6.0.0 with a post


I would like to add an iframe targeting Kibana with authentication.

With the help of this thread (Authenticating to iframe-embedded Kibana dashboard ), I added a POST to handle authentication before loading the iFrame.

But the POST fails on the preflight OPTIONS call when the header 'kbn-version' is present.
And if I remove the 'kbn-version' the OPTIONS call is successful but the subsequent POST fails because the 'kbn-version' header is not present.

How I can make this scenario work ?

Your help is greatly appreciated.

Hi @JulienC,

I was unable to reproduce the problem. Could you please provide a detailed description of the request with all headers?

Hi @weltenwort,

To test the scenario above, I have add one line in the kibana.yml:
server.cors: true

My website which host the iframe make a POST on the login API (/api/security/v1/login) with headers:

    'kbn-version': '6.0.0',
    'Content-Type': 'appliation/json'

Due to the cross domain, the browser makes a OPTION on the same API, with the following headers:

    'Access-Control-Request-Headers': 'content-type,kbn-version',
    'Access-Control-Request-Method': 'POST'

This OPTION call is in error when 'Access-Control-Request-Headers' contains 'kbn-version'.

I did a search on web server used by Kibana (HAPI JS) and the cors option when the server is set up.
We can use a full json object for a better customization instead of true or false.

And with a complete configuration I was able to log my user automatically.

cors: {
    origin: ['*'],
    headers: ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-version', 'Access-Control-Allow-Credentials'],
    credentials: true

Is it possible to specify this configuration inside kibana.yml (server.cors allow only boolean) ?
It would be very usefull to parameter a specific origin domain and more.

Thank you,

You're hitting a slightly embarrassing point here. The server.cors setting accepts different values depending on whether Kibana runs in development or production mode. In dev mode it accepts a full hapi cors config object like the one you showed, but in production mode it only accepts a boolean.

Since I can not in good conscience recommend running Kibana in production, one solution I can think of (until this inconsistency is changed) would be to use a reverse proxy in front of Kibana to strip out the kbn-version entry from the Access-Control-Request-Headers list (assuming it still works fine on the POST). Another option would be to avoid the cors problem altogether by reverse-proxying Kibana on the same domain as the embedding website.

Hi @weltenwort ,

You say:

(until this inconsistency is changed)

Is it planned to let us configure the CORS of HAPI with full object in production mode ?
If yes, have you planned for a specific version or date ?

Where can I found documentation about the server.cors configuration for Kibana 6.0 ?

Thanks for your answers.

Sorry, I can't give you any specific roadmap dates. The server.cors setting is not documented at the moment since we don't want to expose internals. Running Kibana behind your own reverse proxy and managing headers there would be our recommended approach for now.

Thanks for your advice.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.