Using tokens with the endpoint /internal/security/login for logging instead of basic authentication

In this post, Kibana 7.10 login issues, there is an example of using basic authentication to log through the /internal/security/login API endpoint by using:

--data-raw '{"providerType":"basic","providerName":"basic","currentURL":"","params":{"username":"***","password":"***"}}'

I can generate tokens with:

curl -u username:password -X POST "localhost:9200" -H 'Content-Type: application/json' -d'
{"grant_type" : "client_credentials"}

I tried setting "providersType" and "providersName" to "token" and using the keyword "token" instead of "username" and "password", but it returns 400 bad request in the Chrome web console. What are the keywords?

Hey @DMinovski,

Can you tell me more about your use case and what you want to achieve? And what version of the Stack you're using?

It sounds like you can just use Token authentication provider or HTTP authentication, but maybe your requirements are slightly different.

Best,
Oleg

@azasypkin,
I'm using version 7.10.1 of the stack, Kibana is connected to cloud Elasticsearch hosted by https://elastic.co.
I'm loading dashboards in iFrames. The verification works, but the username and password are available in the HTML code. Using tokens, if possible, will improve security.
I'm using the index.html code from here, but the data object in the big brackets is replaced with the one in the link in the opening post of this topic:

According to the schema here, it should be possible to use tokens:

The fact that it won't improve security, since you'll still have token in this HTML and it's pretty much the same. Not to mention that token is valid for max 1 hour. But why aren't you using usual proxy setup that just stores credentials on the reverse proxy side and credentials are never exposed to the end user?

Also since 7.11 you'll be able to use anonymous access instead of Kibana + reverse proxy.

Best,
Oleg

I looked at the schema here, https://github.com/elastic/kibana/blob/v7.10.0/x-pack/plugins/security/server/routes/authentication/common.ts#L122-L135, I tried using the value token for providerType and it worked with the username and password. It seems that the keyword token can be used as a value for the type, but actual tokens can't be sent as parameters to the endpoint /internal/security/login. The code below works, but further changes to the parameter names or structure return Bad Request or Unauthorized.

{"providerType":"token","providerName":"basic","currentURL":"","params":{"username":"elastic","password":"******"}}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.