Map Tile Server and Authentication

Is it possible to utilise any sort of authentication with an external map tile server?

The end goal is simply:

  • Kibana, with a custom tile server
  • The tile server to be protected in some fashion

I have evaluated multiple auth methods. My current thoughts are:

  • Basic auth over HTTPS (presuming the browser will prompt once, and then either never prompt until failure or not prompt for remainder of session)
  • Using mTLS/client auth on tile server (combined with some sort of setting/policy to prevent browser prompt for client certificate selection)

As far as I can tell, Kibana's proxy-map-server feature only works with the Elastic Maps Service (and maybe self-hostable Elastic Maps Server).

Are the other options? Have I missed anything obvious?
I have found this post (#51344 Use external tile servers that require authentication) which is half of it, but suggests it can't be done with any actual Kibana-related features.

Note - the GitHub issue linked above is closed with the following, but I would disagree with it as it means your tile server serving your custom maps would need to be exposed!

For general purpose web-apps like Kibana, it's reasonable to expect that the tile-servers are not behind an authentication layer.

You are correct, there is no functionality for authentication with an external map server. Solution are there, like proxies or firewall configs and so on.
If you just want to test one without authentication, you can check the mundialis WMS.

1 Like

I don't have an instance to try this on currently, but do you know if it would work with Basic Authentication if the URL was entered as such?

To be clear, what if the map.tilemap.url setting was set with a value such as Would Kibana reject this URL, or would it feed this to the browser, and the browser would then create the connection?

My use case is that I do not care if my users are able to directly navigate to my tile server (as their browser would make the map connection) but I still want to protect it against random Internet users from discovering and (ab)using the service.

For the record, what I asked above is not possible - a TypeError occurs in the page script and the network request is never made.

Well - it's not wrong, it does indeed contain embedded credentials! I wonder if it'd just work if it didn't reject it (i.e. perhaps the browser would read it as intended).

Edit: Actually, I think the error message is from the browser (Firefox). I guess it just rejects it when it's from a different source?

Well, I guess that's the thread over then!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.