AWS Cognito integration with Kibana

Hi,

I'm using AWS Cognito as SSO authentication service for Kibana and my other web application. Everything seems to be working fine but there is one issue. After log in through Cognito, Kibana remains logged in as long as browser is open. But if user closes the browser and then comes back to access kibana, they can do so only till 1 hour after first login. After 1 hour, Kibana redirects the user to Cognito login page. However user is able to access my other web application even after 1 hour of first login. I'm not sure what exactly is happening here. In Kibana docs, it says that access token is valid for 20 minutes and refresh token for 24 hours and Kibana will only try to redirect to auth page after both tokens have expired. But here just after 1 hour user is being redirected.

Elasticsearch and Kibana Version: 7.10.2

Configuration in elasticsearch.yml:

    xpack.security.enabled : true
    xpack.security.authc.token.enabled: true

    oidc.cognito-oidc:
        order: 2
        rp.client_id: "<COGNITO_APP_CLIENT_ID>"
        rp.response_type: code
        rp.redirect_uri: "http://localhost:5601/api/security/oidc/callback"
        op.issuer: "https://cognito-idp.us-east-1.amazonaws.com/<COGNITO_USER_POOL_ID>"
        op.authorization_endpoint: "<AUTH_DOMAIN>/oauth2/authorize"
        op.token_endpoint: "<AUTH_DOMAIN>/oauth2/token"
        op.jwkset_path: "https://cognito-idp.us-east-1.amazonaws.com/<COGNITO_USER_POOL_ID>/.well-known/jwks.json"
        op.endsession_endpoint: "<AUTH_DOMAIN>/logout?client_id=<COGNITO_APP_CLIENT_ID>&logout_uri=http://localhost:5601/security/logged_out"
        rp.requested_scopes: [profile, email, openid]
        claims.principal: email
        claims.groups: cognito:groups

Configuration in kibana.yml:

    xpack.security.authc.providers:
        oidc.oidc1:
            order: 0
            realm: cognito-oidc
            description: "Log in with Cognito"
        basic.basic1:
            order: 1
    xpack.security.authc.selector.enabled: false
    server.xsrf.whitelist: [/api/security/oidc/callback]

In Cognito user pool, access token validity is set to 1 day.

Any help would be really appreciated.

Thank you!

Hey @diwakar_singh ,

Unfortunately, the fact that sessions stay active until the browser is closed is a known limitation. Please upvote the following issue if it's something you'd like us to improve in the future:

Best,
Oleg

Alright, thanks for the reply @azasypkin . Hope this is implemented soon.