Get Kibana Cookie with Custom Realm

Elastic Stack Kibana
1

Is there a way to get Kibana session cookie with custom realm?

Right now I'm using Bearer token generated by ES for API calls in Kibana, but ultimately I want the users to be able to automatically login to their own kibana spaces. This wouldn't be practical if I cannot generate session cookie for the browser.

I have tried curl "localhost:5601/api/security/v1/login" -H 'Authorization: Bearer 86auAxZ6bV9SdktRdVNOR3ZzSjBRcWFPazln' -H 'kbn-xsrf: kibana' -X POST

And obviously it did not work because this api requires username and password
{"statusCode":400,"error":"Bad Request","message":""value" must be an object","validation":{"source":"payload","keys":["value"]}}

If there is a way to get cookies for custom realm please advice. If not then is there another way to automatically log users in Kibana?

2

My best suggestion would be to use the token API in ES to get the tokens. Most of Kibana's auth is based on ES. https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html

3

I did get the token from the API you mentioned. That's exactly the one I used in the Authorization header. However, the current issue is that I want the cookies to be set in the browser so that each request sent by the users would not still require the same token in the header.

4

In the documentation it says:

The session cookies that are issued by the token authentication provider are stateful, and logging out of Kibana invalidates the session cookies for reuse.

But how can I get the cookies? That's my question.

5

Bump. I need an answer for this. At least I need to know if it is doable. Thanks.

6

For the benefit of others: It's not doable. What the documentation says (in a somewhat misleading way) is that the Token authentication provider will save the access/refresh token in the session cookie - and signing out will also invalidate the tokens(meaning, if you signed in on the web & then signed out, the access token won't work anymore for API calls either).

BUT: the Token authentication provider still uses the user/pass credentials for sign in. The only difference between it & Basic is that Basic provider will save the user/pass in session cookie, so logging out will not invalidate bearer tokens (if Kibana was configured to log in with basic authentication).

Also, the list of providers in x-pack security plugin is constant as of the time of this response (7.5.3) - which means that one can't write a new provider. One can though write a full plugin & store the access/refresh tokens in the session cookie for the Token provider to perform the authentication for user session (or at least, that's the theory I'm working on right now).

1 Like
7

Thank you!

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.