Get Kibana Cookie with Custom Realm

YanbangLiuUiPath · January 28, 2020, 3:31am

Is there a way to get Kibana session cookie with custom realm?

Right now I'm using Bearer token generated by ES for API calls in Kibana, but ultimately I want the users to be able to automatically login to their own kibana spaces. This wouldn't be practical if I cannot generate session cookie for the browser.

I have tried curl "localhost:5601/api/security/v1/login" -H 'Authorization: Bearer 86auAxZ6bV9SdktRdVNOR3ZzSjBRcWFPazln' -H 'kbn-xsrf: kibana' -X POST

And obviously it did not work because this api requires username and password
{"statusCode":400,"error":"Bad Request","message":""value" must be an object","validation":{"source":"payload","keys":["value"]}}

If there is a way to get cookies for custom realm please advice. If not then is there another way to automatically log users in Kibana?

Marius_Dragomir · January 29, 2020, 10:14am

My best suggestion would be to use the token API in ES to get the tokens. Most of Kibana's auth is based on ES. https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html

YanbangLiuUiPath · January 29, 2020, 5:36pm

I did get the token from the API you mentioned. That's exactly the one I used in the Authorization header. However, the current issue is that I want the cookies to be set in the browser so that each request sent by the users would not still require the same token in the header.

YanbangLiuUiPath · January 29, 2020, 11:16pm

In the documentation it says:

The session cookies that are issued by the token authentication provider are stateful, and logging out of Kibana invalidates the session cookies for reuse.

But how can I get the cookies? That's my question.

YanbangLiuUiPath · February 3, 2020, 5:41pm

Bump. I need an answer for this. At least I need to know if it is doable. Thanks.

virgilp · February 7, 2020, 11:59am

For the benefit of others: It's not doable. What the documentation says (in a somewhat misleading way) is that the Token authentication provider will save the access/refresh token in the session cookie - and signing out will also invalidate the tokens(meaning, if you signed in on the web & then signed out, the access token won't work anymore for API calls either).

BUT: the Token authentication provider still uses the user/pass credentials for sign in. The only difference between it & Basic is that Basic provider will save the user/pass in session cookie, so logging out will not invalidate bearer tokens (if Kibana was configured to log in with basic authentication).

Also, the list of providers in x-pack security plugin is constant as of the time of this response (7.5.3) - which means that one can't write a new provider. One can though write a full plugin & store the access/refresh tokens in the session cookie for the Token provider to perform the authentication for user session (or at least, that's the theory I'm working on right now).

YanbangLiuUiPath · February 10, 2020, 7:59pm

Thank you!

system · March 9, 2020, 8:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.