Bypass kibana iframe authentication


I have a multitenant web application in which each user will have its own Kibana dashboard embeded in an iframe. I have set up users and roles in elasticsearch with the required priviledges for each user to only access its own dashboard. However the iframe prompt the kibana login page before loading, forcing the client to authenticate. I want to get rid of this.
I'm aware of the number of posts in this forum about it, but so far there is no satisfactory solution.

I have tried the following:

POST /api/security/v1/login HTTP/1.1
Host: <kibana_cloud_url>:9243
kbn-version: 7.7.0
Content-Type: application/json

When invoked from postman I get back an authentication cookie but when invoking it from my code in javascript I get the following error.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <kibana_cloud_url>:9243/internal/security/login. (Reason: CORS header 'Access-Control-Allow-Origin' missing)

According to this post Unable to perform login on kibana throught browser javascript api call
this is due to CORS not being enabled in Kibana.

Is there any update on that answer?

The other option I have come across is the reverse proxy, however I don't see how can I make that work with Kibana on the cloud and with the dynamic nature of my use case (I dynamically acquire the user credentials to authenticate the dashboard)

Help will be appreciated.


I think the common way to solve this right now is to use proxy in front of Kibana, see Auto-authenticating to iframe-embedded Kibana dashboard . Does that work for you?

Also copying @azasypkin for more inputs.


Hi @rashmi thanks for your reply.
I'm afraid the reverse proxy approach does not solve my problem. There are two main issues with that approach.
1- I'm using kibana in elastic cloud, how can I create a reverse proxy for it ?
2- My credentials are dynamically generated, I don't know them in advance so I can't put them in a static config.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.