Is it possible to use jwt for single sign on in kibana?


(Peter Skarmyr) #1

In my setup, when users access kibana the request goes through a reverse proxy which authenticates the user and adds a jwt header to the request. This jwt contains the username and the kibana roles of the user.
The jwt looks like this when decrypted:

{
  "sub": "user123",
  "iss": "https://www.example.com",
  "aud": "urn:liberty",
  "iat": 1549282285,
  "exp": 1549285885,
  "sess": "faf6d1e0-2875-11e9-a92b-005056826ed8",
  "groups": [
    "kibana_admin"
  ]
}

I have managed to get this working by putting the jwt in the url on the login page:

http://mydomain:5601/login?jwt=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

where xxxxxxxxxxxxxxxxxxxxxxx represents the jwt.

Is it possible to skip the login-form in ROR and grant access to kibana based on the jwt which is in the header instead of putting the jwt in the url?
So kind of like readonlyrest_kbn.proxy_auth_passthrough: true, but instead of using the username from X-Forwarded-For, ROR will use the roles in the jwt to decide what the user should have access to in kibana.

If not, what is the usecase for putting the jwt in the url? How will the user typically be logged into kibana in this scenario?

Thanks.


(Simone Scarduzio) #2

Yeah we recently added this feature, will hand you out a test build.


(Peter Skarmyr) #3

That would be great!

Thank you :smiley: