I'm using AWS Cognito as SSO authentication service for Kibana and my other web application. Everything seems to be working fine but there is one issue. After log in through Cognito, Kibana remains logged in as long as browser is open. But if user closes the browser and then comes back to access kibana, they can do so only till 1 hour after first login. After 1 hour, Kibana redirects the user to Cognito login page. However user is able to access my other web application even after 1 hour of first login. I'm not sure what exactly is happening here. In Kibana docs, it says that access token is valid for 20 minutes and refresh token for 24 hours and Kibana will only try to redirect to auth page after both tokens have expired. But here just after 1 hour user is being redirected.
Elasticsearch and Kibana Version: 7.10.2
Configuration in elasticsearch.yml:
xpack.security.enabled : true xpack.security.authc.token.enabled: true oidc.cognito-oidc: order: 2 rp.client_id: "<COGNITO_APP_CLIENT_ID>" rp.response_type: code rp.redirect_uri: "http://localhost:5601/api/security/oidc/callback" op.issuer: "https://cognito-idp.us-east-1.amazonaws.com/<COGNITO_USER_POOL_ID>" op.authorization_endpoint: "<AUTH_DOMAIN>/oauth2/authorize" op.token_endpoint: "<AUTH_DOMAIN>/oauth2/token" op.jwkset_path: "https://cognito-idp.us-east-1.amazonaws.com/<COGNITO_USER_POOL_ID>/.well-known/jwks.json" op.endsession_endpoint: "<AUTH_DOMAIN>/logout?client_id=<COGNITO_APP_CLIENT_ID>&logout_uri=http://localhost:5601/security/logged_out" rp.requested_scopes: [profile, email, openid] claims.principal: email claims.groups: cognito:groups
Configuration in kibana.yml:
xpack.security.authc.providers: oidc.oidc1: order: 0 realm: cognito-oidc description: "Log in with Cognito" basic.basic1: order: 1 xpack.security.authc.selector.enabled: false server.xsrf.whitelist: [/api/security/oidc/callback]
In Cognito user pool, access token validity is set to 1 day.
Any help would be really appreciated.