I hoped that it would be possible to use a standard oauth token, but from reading the documentation Elasticsearch only supports the Relaying Party role (with the addition of a facilitator service account) and not a Resource Server role. This causes a number of issues with a typical SPA architecture, which normally its self would be the Relaying Party/Client.
I was thinking that there are two options:
- Create a back end API that queries Elasticsearch and returns the results to the browser. This feels like a waste of effort, but would work and be more secure.
- Allow anonymous read access to specific indices. This is sub optimal as its not always the case that anonymous access is acceptable.
Is there a better solution?