Using authentication api of kibana /api/security/v1/login returns 404 not found

I am running Kibana 7.7.1 on windows. I am trying to share kibana dashboard to external web app by embedding the iframe into my angular code. This approach has an issue of Kibana login prompt appearing everytime I visit the dashboard from my web app.

I found that appart from Kibana authentication api we can also use nginx for reverse proxy but I don't want to use it.

Also, I am not able to find /api/security/v1/login rest api in Kibana docs. Is this api removed or changed? Or there are some headers I need to attach?

I am making POST request to the above api with username and password in the request body and I am getting {"statusCode": 404, "error": "Not Found", "message":"Not Found"}

Hi @Ananya_Chaurasia,

The Login API is part of X-Pack and is not publicly supported, which is why it's not documented. It was renamed to /internal/security/login starting in Kibana 7.6.0 to better describe that it's unsupported and is only intended for internal usage. This can break with any release, so I wouldn't recommend depending on it.

Your best bet to embed Kibana this way right now is to use the proxy approach.

We also have an open enhancement issue to enable anonymous access in Kibana, which you may want to keep an eye on: https://github.com/elastic/kibana/issues/18331

Hope that helps!
-Joe

1 Like

Hi @jportner

This was helpful, thank you.
I was wondering if there is a way we can send api key instead of username and password. Is there any other endpoint supporting this?

Also, if I choose to use reverse proxy approach, will I be providing credentials or api key?

I hope I'm understanding your question correctly: You can't log in with an API key, but you can authenticate to Kibana by sending it in the header in each HTTP request if using a reverse proxy, for example.

See Kibana API keys documentation; note that if you don't specify role descriptors, the API key will have a point in time snapshot of permissions of the authenticated user. You will probably want to make sure such an API key has the minimal privileges to interact with that dashboard, nothing else.

If using a reverse proxy, you can either use Token-based authentication (HTTP Basic Authentication, which is encoded username/password) or API Key-based authentication. See the Kibana docs on API authentication for more information.

Best,
-Joe

1 Like

Okay I get that but I meant to ask is there any other rest api like the internal x-pack login api (which takes username and password in request body) that takes api key and returns cookie or anything that is required for dashboard to be displayed?

No. All I can recommend at this time is to keep an eye on the enhancement request linked above.

Best,
-Joe