Environment:
- Elastic Cloud (Hosted)
- Kibana version: 8.x (Cloud managed)
- Browser: Chrome / Safari
- Frontend: Next.js app running on
https://localhost:3000(HTTPS with mkcert)
Problem:
I'm trying to embed a Kibana dashboard in an iframe using anonymous authentication.
Direct browser access works - Dashboard loads without login
iframe embedding fails - Continuous 401 Unauthorized loop
Error in browser console:
GET /internal/security/user_profile?dataPath=avatar,userSettings 401 (Unauthorized)
My Kibana Configuration:
xpack.security.authc.providers:
anonymous.anonymous1:
order: 0
credentials:
username: "my-frontend-user"
password: "my-password"
xpack.security.sameSiteCookies: "None"
iframe Code:
<iframe
src="https://deployment-id.asia-northeast123.gcp.cloud.es.io/app/dashboards?auth_provider_hint=anonymous1#/view/21718d8c-112b-4836-1233-a6d4612312303?embed=true&_g=(refreshInterval%3A(pause%3A!t%2Cvalue%3A60000)%2Ctime%3A(from%3Anow-15m%2Cto%3Anow))"
height="600"
width="800"
></iframe>
What I've Tried:
- Confirmed
anonymous1provider appears in/internal/security/login_state - Direct browser access works (anonymous auth is functional)
- Using HTTPS on localhost (mkcert certificates)
- Set
xpack.security.sameSiteCookies: "None"
Questions:
-
Is the 401 error caused by cookies not being sent in the cross-origin iframe context, even with
SameSite=None? If so, is a reverse proxy the only secure solution? -
Are there any Elastic Cloud-specific configurations or features for securely embedding dashboards?