I am using access tokens for an application, and am having trouble invalidating them for a logout action. I am using an API key to authorize the token requests themselves, with the password grant type to create tokens for each user. I can successfully get, refresh, and invalidate tokens individually using the token and refresh_token parameters in the invalidate token request.
However, I want to use the username parameter to invalidate any and all tokens for the user. When I attempt to do so, I receive a security_exception error:
action [indices:data/read/search] is unauthorized for user [API TOKEN CREATOR]
I am assigning the manage_token cluster privilege for the API key, and that is all that is required for everything other than using the username parameter. I've tried adding various index privileges including all privileges on all indices:
but I continue to get the same error. This is with version 7.3.0.
Thanks in advance.
I think you might be hitting a bug here.
Assuming this is what you are trying to do:-
- Create an API key with
manage_token cluster privilege.
- Use the API key to generate tokens using API
POST _security/oauth2/token and
- Use the same API key to invalidate the tokens for a user using
DELETE _security/oauth2/token with the username parameter.
For now, the workaround would be to given access to
.security* index names and setting
allow_restricted_indices to true.
I will be cautious with this workaround as it allows the user to access other details from
.security indices which contains confidential information.
Hope this helps.
One quick follow up. I was trying an entirely different approach, and it seems like the run_as functionality also doesn't work when authenticating with an API key. Can you confirm that is the case?
That is expected behaviour we do not support
run_as when authenticated using token or api key.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.