I am using access tokens for an application, and am having trouble invalidating them for a logout action. I am using an API key to authorize the token requests themselves, with the password grant type to create tokens for each user. I can successfully get, refresh, and invalidate tokens individually using the token and refresh_token parameters in the invalidate token request.
However, I want to use the username parameter to invalidate any and all tokens for the user. When I attempt to do so, I receive a security_exception error:
action [indices:data/read/search] is unauthorized for user [API TOKEN CREATOR]
I am assigning the manage_token cluster privilege for the API key, and that is all that is required for everything other than using the username parameter. I've tried adding various index privileges including all privileges on all indices:
Create an API key with manage_token cluster privilege.
Use the API key to generate tokens using API POST _security/oauth2/token and grant_type as password
Use the same API key to invalidate the tokens for a user using DELETE _security/oauth2/token with the username parameter.
For now, the workaround would be to given access to .security* index names and setting allow_restricted_indices to true. I will be cautious with this workaround as it allows the user to access other details from .security indices which contains confidential information.
One quick follow up. I was trying an entirely different approach, and it seems like the run_as functionality also doesn't work when authenticating with an API key. Can you confirm that is the case?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.