Kibana generate access_token without user credentials

I am looking for a way to use token based authentication for Kibana to give end-users an ability to use Kibana in an embedded iframe. Here is the flow that has worked for me:

1- use a system-level user with sufficient privileges to create a role for an end-user with the sufficient document-level access

2- use a system-level user with sufficient privileges to create a corresponding user in Elasticsearch and assign it to the created role in the previous step

3- use the created user credential (created in step 2) to create access_token and refresh_token

4- use access_token to login to kibana

5- use refresh_token to refresh access_token whenever is expired.

My issue is to manage step 3, I need to maintain user-credentials in the corresponding service. I was wondering if there is a way I cannot create access_token and refresh_token without knowing the credentials for that user and just by using a super_user credentials instead. I am open to any other suggestions if there is a better way of handling this problem.

You can try and set the validity of an access token to max (not sure exactly what it is now) and wait until we implement a method to do this. Right now you can't use a token to give permissions to another token unless you give them basically none.
I would look into using some kind of SAML/OpenID that does the token management itself. Or even better, PKI.

You can do something similar using the client_credentials grant, but it requires a few changes to your process, and it has a couple of flaws.

  1. As per your step 1, but the role you create will need manage_token cluster access.
  2. As per your step 2
  3. Use run-as and the client_credentials grant to create a token as if you were the user from step 2, e.g.
    > curl -k -u elastic -H "es-security-runas-user: test" -X POST 'https://localhost:9200/_security/oauth2/token' -d '{ "grant_type": "client_credentials" }' -H "Content-Type: application/json"
    Enter host password for user 'elastic':
    {"access_token":"l+CwAxY0V1EtVHRlS1M5Q1gxR3FKUENmQnRB","type":"Bearer","expires_in":1200}
    
    However, the client_credentials grant doesn't give you a refresh token (see below)
  4. Use that access token to access Kibana
  5. Since you don't have a refresh token, you need to repeat step 3 when the access token expires.

The issue is in step 1. You're giving this role access to create tokens, which ideally you wouldn't want. You can modify the role to remove that access after step 3, but then you'd have to add it back again in order to generate a new token in step 5.

Thank you for your response. Does it mean that with the manage_token permission a user can create unlimited number of tokens? For any other user or just for himself?

Yes

For any user for which he/she has credentials