Kibana 7.10 login issues

KevSex · November 12, 2020, 11:05am

Since upgrading to Elastic stack 7.10, I am now receiving the below error when attempting to POST to /internal/security/login

[root@dev-node-01 ~]# curl -k  'https://127.0.0.1:5601/internal/security/login'  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'  -H 'Accept: application/json, text/javascript, */*; q=0.01'  -H 'Connection: keep-alive' --data 'username=***&password=***'
{
  "statusCode":400,
  "error":"Bad Request",
  "message":"[request body.providerType]: expected value of type [string] but got [undefined]"
}

I had a look at the changelog but couldn't see anything that could explain this.

Any ideas if this change is expected in the new version.

Running this command on previous versions produce a HTTP/1.1 204 No Content which works.

Cheers,
Kev

flash1293 · November 12, 2020, 1:25pm

Hey, as this is an internal API, changes in accepted payload are not considered breaking changes. Because of this it's possible they won't show up in the release notes.

I reached out to our security team to look into the issue.

azasypkin · November 12, 2020, 1:45pm

Hey @KevSex,

Yeah, as @flash1293 already noted, it's an internal API and we reserve the right to make any breaking changes to it even though we try hard to not do that without a strong need.

Back to your original question, here is the definition of request body schema:

schema.object({
  providerType: schema.string(),
  providerName: schema.string(),
  currentURL: schema.string(),
  params: schema.conditional(
    schema.siblingRef('providerType'),
    schema.oneOf([
      schema.literal(BasicAuthenticationProvider.type),
      schema.literal(TokenAuthenticationProvider.type),
    ]),
    basicParamsSchema,
    schema.never()
  ),
}),

So assuming you're using default xpack.security.autch.providers config, your request should look like this:

POST https://localhost:5601/internal/security/login
Accept: application/json
Content-Type: application/json
kbn-xsrf: true

{
  "providerType": "basic",
  "providerName": "basic",
  "currentURL": "/",
  "params": { "username": "***", "password": "***" }
}

providerName is an arbitrary string and depends on how you configure Kibana, you can read more about this here.

We changed the API signature so that it can work with all authentication mechanisms Kibana supports now or will in the future.

Let me know if you have any other questions.

Best,
Oleg

KevSex · November 12, 2020, 2:20pm

Hi @azasypkin,

Thanks for the response.

Yes, I'm using the default authentication provider. I've updated the POST to include these however it now complains that body.params.username is undefined yet they are clearly defined. See below:

Request

curl -k --request POST 'https://127.0.0.1:5601/internal/security/login?username=***&password=***' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--form 'providerType=basic' \
--form 'providerName=basic' \
--form 'currentURL=/'

Response

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "[request body.params.username]: expected value of type [string] but got [undefined]"
}

Cheers,
Kev

azasypkin · November 12, 2020, 2:26pm

Well, username is a part of params and the body itself should be a JSON object, so --form and application/x-www-form-urlencoded won't work here. What you want is this:

curl 'https://localhost:5601/internal/security/login' \
  -H 'Accept: */*'  \
  -H 'Content-Type: application/json' \
  -H 'kbn-version: 8.0.0' \
  --data-raw '{"providerType":"basic","providerName":"basic","currentURL":"","params":{"username":"***","password":"***"}}'

By the way, the easiest way to get the right request is to just use browser dev tools:

system · December 10, 2020, 2:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.