Is there a way to get Kibana session cookie with custom realm?
Right now I'm using Bearer token generated by ES for API calls in Kibana, but ultimately I want the users to be able to automatically login to their own kibana spaces. This wouldn't be practical if I cannot generate session cookie for the browser.
I have tried curl "localhost:5601/api/security/v1/login" -H 'Authorization: Bearer 86auAxZ6bV9SdktRdVNOR3ZzSjBRcWFPazln' -H 'kbn-xsrf: kibana' -X POST
And obviously it did not work because this api requires username and password
{"statusCode":400,"error":"Bad Request","message":""value" must be an object","validation":{"source":"payload","keys":["value"]}}
If there is a way to get cookies for custom realm please advice. If not then is there another way to automatically log users in Kibana?
I did get the token from the API you mentioned. That's exactly the one I used in the Authorization header. However, the current issue is that I want the cookies to be set in the browser so that each request sent by the users would not still require the same token in the header.
The session cookies that are issued by the token authentication provider are stateful, and logging out of Kibana invalidates the session cookies for reuse.
But how can I get the cookies? That's my question.
For the benefit of others: It's not doable. What the documentation says (in a somewhat misleading way) is that the Token authentication provider will save the access/refresh token in the session cookie - and signing out will also invalidate the tokens(meaning, if you signed in on the web & then signed out, the access token won't work anymore for API calls either).
BUT: the Token authentication provider still uses the user/pass credentials for sign in. The only difference between it & Basic is that Basic provider will save the user/pass in session cookie, so logging out will not invalidate bearer tokens (if Kibana was configured to log in with basic authentication).
Also, the list of providers in x-pack security plugin is constant as of the time of this response (7.5.3) - which means that one can't write a new provider. One can though write a full plugin & store the access/refresh tokens in the session cookie for the Token provider to perform the authentication for user session (or at least, that's the theory I'm working on right now).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.