How do I insert a token into Kibana client HTTP request header

I want to set a custom HTTP header with a token that will be sent to the Kibana server.

I've been reading the code the past couple days and I see that there is a file in ui/public/chrome/api/xsrf.js that sets a XHR request header like
jqXHR.setRequestHeader('kbn-version', internals.version);

So - I pulled the code, built with Grunt, added a line to setRequestHeader my token and it doesn't seem to be working

Grepping thru the source tree - I'm not seeing other places where a setRequestHeader method is called and I'm wondering what I'm missing.

The idea is to implement the encrypted token pattern (used in xsrf) in session-less situations and use the token to authorise Kibana users who have logged into an auth server first. So conceptually this might be a nice light-weight way of authenticating users using a Kibana plugin.

But first I have to figure out how to put the token into a request header - which seemed simple enough...

Hm. If you want a lightweight authentication solution, I think you can't really get any more lightweight than using a proxy like nginx paired with basic authentication via htpasswd. If you need more than that, such as user roles and permissions to certain indices, there is the Shield plugin already.

Heah Thanks Tim!

I'm currently using nginx with basic authentication with htpasswd.
OK for small number of users but -

The problem is that users login to a portal and get authenticated - and in order to access Kibana they have to enter a Basic authentication (or other flow) which force the user to login twice which is a pain.

Since we have other applications that use OTT for "session-less" access,
my thinking was to leverage nginx like this:

user logs in to the auth server and gets an encrypted token
kibana client includes the token in the Ajax requests which go to nginx
nginx http_auth_request sends a sub request back to the auth server with the toekn
auth verifies the token and returns 201 to nginx and kibana gets the request

We don't need more granular role-based access at this stage and we cant afford Shield-level pricing...

So - the question is fairly specific - where do I tweak the Kibana client JS code to send a token in the XHR request.