I'm trying to figure out if my understanding of the implementation of OAuth2 in Kibana is correct. I've got an ES domain deployed on AWS with Cognito authentication via "Authorization code grant" flow.
My understanding of the flow is this:
- Browser requests https://kibana.url/_plugin/kibana
- Gets redirected to https://cognito.url/login?type=code&state=XXX&redirect_uri=https://kibana.url/_plugin/kibana
- User logs in to Cognito and gets redirected to https://kibana.url/_plugin/kibana/app/kibana/code=YYY&state=XXX
- Behind the scenes Kibana makes a post request to https://cognito.url/oauth2/token sending the code and getting back an access token (+refresh token) which is then used to access ES?
The last step is totally unclear to me. Not sure if this request is done by JS code running on client browser (which gets downloaded following the redirect in step 3) OR whether this request is done by Kibana Server on a separate channel.
Is there someplace where I can read more about this? I've looked in the OAuth 2.0 RFC but I don't know how Kibana decided to implement this RFC.