Authenticated Elastic API - Best Practice

What would be the best practice to implement role based security between a back end service and Elasticsearch?

Basic Http Authentication or Token Based oAuth using bearer tokens.

I would lean towards the latter because it doesn't constantly transmit the user credentials for every call. Does the python library make use of the token approach or the basic auth?

That is true, but why is that important to you? It may not be the problem you think it is.

This will work, but requires that you keep track of a refresh token and perform frequent refreshes that generate a new bearer token. It's not hard but it's definitely more work than Basic Auth, so you'd want to be sure it's solving a real problem.

When I consider security settings I prefer to assume I am working in a hostile environment. Therefore I would choose the most secure option.

I recall reading that the access token can only be refreshed for up to 24 hours. Or is that the window in which the refresh token can be used to refresh the access token. "Provided it wasn't revoked"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.