Get Kibana Cookie with Custom Realm

Is there a way to get Kibana session cookie with custom realm?

Right now I'm using Bearer token generated by ES for API calls in Kibana, but ultimately I want the users to be able to automatically login to their own kibana spaces. This wouldn't be practical if I cannot generate session cookie for the browser.

I have tried curl "localhost:5601/api/security/v1/login" -H 'Authorization: Bearer 86auAxZ6bV9SdktRdVNOR3ZzSjBRcWFPazln' -H 'kbn-xsrf: kibana' -X POST

And obviously it did not work because this api requires username and password
{"statusCode":400,"error":"Bad Request","message":""value" must be an object","validation":{"source":"payload","keys":["value"]}}

If there is a way to get cookies for custom realm please advice. If not then is there another way to automatically log users in Kibana?

My best suggestion would be to use the token API in ES to get the tokens. Most of Kibana's auth is based on ES. https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html

I did get the token from the API you mentioned. That's exactly the one I used in the Authorization header. However, the current issue is that I want the cookies to be set in the browser so that each request sent by the users would not still require the same token in the header.

In the documentation it says:

The session cookies that are issued by the token authentication provider are stateful, and logging out of Kibana invalidates the session cookies for reuse.

But how can I get the cookies? That's my question.

Bump. I need an answer for this. At least I need to know if it is doable. Thanks.

For the benefit of others: It's not doable. What the documentation says (in a somewhat misleading way) is that the Token authentication provider will save the access/refresh token in the session cookie - and signing out will also invalidate the tokens(meaning, if you signed in on the web & then signed out, the access token won't work anymore for API calls either).

BUT: the Token authentication provider still uses the user/pass credentials for sign in. The only difference between it & Basic is that Basic provider will save the user/pass in session cookie, so logging out will not invalidate bearer tokens (if Kibana was configured to log in with basic authentication).

Also, the list of providers in x-pack security plugin is constant as of the time of this response (7.5.3) - which means that one can't write a new provider. One can though write a full plugin & store the access/refresh tokens in the session cookie for the Token provider to perform the authentication for user session (or at least, that's the theory I'm working on right now).

1 Like

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.