Generate a security token using a admin token?

(Bo Gao) #1

I am trying to generate a security token when a user is logging in. It has been mentioned in the following documentation that "to generate a token" using a query, we need to include a valid "admin" token in the header.

However, any security token will expire after 24 hours, including the "admin" token. So the question is that how can we generate an admin token in the server side which will not expire? Probably I am using the wrong strategy to quest a user token using the admin token, but what will be the appropriate way to do this?


(Tim Vernum) #2

I didn't really follow your post.
Why exactly are you trying to generate a security token?

(Bo Gao) #3

Hi Tim,
Thanks for the reply. I should simplify my question more here. So I have tried the method on this page for requesting a security token,

However, this method does not work since it require an existing token to perform the request. Which means "we need a token to request a token". My question is that how can we remove this restriction, so we can directly request a token with user name and password only.


(Tim Vernum) #4

I'm genuinely curious about the reason you're trying to use the token API. A lot of the time when I get questions about how to use it, it turns out that it's not the right fit for the problem that the person wants to use it for.
If you do have a particular reason for wanting to use this API, then I'd love to understand what it is.

Reading between the lines, I think you are being thrown off course by the error message that Elasticsearch returns if you fail to provide authentication credentials for your request ("missing authentication token for REST request"). That error does not specifically refer to tokens from the token management API, it refers to any credentials. You could provide an oauth token, but you can also provide a username+password for native Elasticsearch or LDAP users, or a SSL PKI certificate.

(Pham Le Huy) #5

Hi Tim,
I'm currently stuck with the same problem as BO_GAO when I try to use the User Management APIs to create a new user. From my POV, in order to use those APIs, i have to somehow generate a token but I don't know exactly how. Could you give me any tips?
Thanks in advance

(Yogesh Gaikwad) #6

Try this with a user and it's password, you can generate a token for username password given in the request body.
This is one way to generate token:

For eg. I am using elastic user and it's password and I am generating token for user user1 and password pass1

curl -k -u elastic:password -H "Content-Type: application/json" -XPOST https://:9200/_xpack/security/oauth2/token -d '{"grant_type" : "password", "username" : "user1", "password": "pass1"}'

Instead of username password, you can even use token generated earlier if it is valid.

(Tim Vernum) #7

90% of the time when people think that they want to use the token management APIs, they are mistaken. Those APIs serve a very specific purpose, and are rarely the solution to the problem you have.

Please take a step back and describe what you are trying to do, and why you think the token management APIs will help with that.

(Pham Le Huy) #8

I'm trying to protect my Elastic clusters by using User Authentication feature in xpack. I choose native realm to handle my authentication process. So far I've follow this instruction:
Setting up native realm is fine for me, but when i try to use User Management APIs to manage my Native users (create, alter, delete), I ran into this error message

when trying to execute this:
curl -X POST "localhost:9200/_xpack/security/user/jacknich" -H 'Content-Type: application/json' -d'
"password" : "j@rV1s",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Jack Nicholson",
"email" : "",
"metadata" : {
"intelligence" : 7
So i thought somehow i need to generate a token, correct me if i'm wrong since i'm very new to Elasticsearch let alone xpack, kibana and logstash

(Yogesh Gaikwad) #9

Hi @Le_Huy,

Looks like you are trying to create user 'jacknich' but you are not providing credentials(username and password) in curl request to describe who is creating user 'jacknich'.
The request is missing Authorization header.

Ex. curl invocation with credentials [-u elastic:password]:

curl -k -u elastic:password -H "Content-Type: application/json" -XPOST -d'
"password" : "j@rV1s",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Jack Nicholson",
"email" : "",
"metadata" : {
"intelligence" : 7

Hope this helps.
Thanks, @TimV

Yogesh Gaikwad

(Pham Le Huy) #10

Hi @Yogesh_Gaikwad,
Thanks for the advice, I have successfully created a new user, much appreciated.

(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.