In this post, Kibana 7.10 login issues, there is an example of using basic authentication to log through the /internal/security/login API endpoint by using:
I tried setting "providersType" and "providersName" to "token" and using the keyword "token" instead of "username" and "password", but it returns 400 bad request in the Chrome web console. What are the keywords?
@azasypkin,
I'm using version 7.10.1 of the stack, Kibana is connected to cloud Elasticsearch hosted by https://elastic.co.
I'm loading dashboards in iFrames. The verification works, but the username and password are available in the HTML code. Using tokens, if possible, will improve security.
I'm using the index.html code from here, but the data object in the big brackets is replaced with the one in the link in the opening post of this topic:
According to the schema here, it should be possible to use tokens:
The fact that it won't improve security, since you'll still have token in this HTML and it's pretty much the same. Not to mention that token is valid for max 1 hour. But why aren't you using usual proxy setup that just stores credentials on the reverse proxy side and credentials are never exposed to the end user?
Also since 7.11 you'll be able to use anonymous access instead of Kibana + reverse proxy.
I looked at the schema here, https://github.com/elastic/kibana/blob/v7.10.0/x-pack/plugins/security/server/routes/authentication/common.ts#L122-L135, I tried using the value token for providerType and it worked with the username and password. It seems that the keyword token can be used as a value for the type, but actual tokens can't be sent as parameters to the endpoint /internal/security/login. The code below works, but further changes to the parameter names or structure return Bad Request or Unauthorized.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.