JWT with Kibana


(Paul) #1

Hi Simone

We would like to use ROR PRO in our use case but need to confirm that we can pass a JWT token when using ROR together with Kibana. I have read both the ES and Kibana docs, and only see reference to JWT being used with ES directly.

I also have the same question regarding using the External Basic Auth module of ROR too.

Are you able to advise?

Thanks - and keep up the great work.


(Simone Scarduzio) #2

Hello Paul,

In the current version of ROR Enterprise and PRO for Kibana:

  • There is no issue in using External Basic Auth. That’s because Kibana won’t know anything about ES will validate the HTTP Basic Auth credentials internally or externally.

  • Regarding the JWT: the credentials are now extracted and hashed in a specific endpoint used by our login form:

POST /login 
{ 
 "username": "..." ,
 "password": "..."
}

But it’s quite easy to add this feature (pretty nice feature to have BTW), we can make it work during your trial period, which we can extend if necessary.


(Paul) #3

Hi, that is great. Lets get started with the trial.

We are currently passing https://kibana_server:5601/?jwtparam=, will we be able to specify the parameter name?


(Simone Scarduzio) #4

Yeah that should probably be better like:

https://kibana_server:5601/login?jwtparam=XXX

Which will check the signature in the JWT using a shared secret (configured in kibana.yml) and set the encrypted cookie associated to the session.

From this moment the user name found in the JWT claims might simply travel in the X-Forwarded-User header all the way to Elasticsearch which will be configured with
proxy_auth rule as described in the docs.

And yes we can make the parameter name configurable.

Yeah let’s get this trial started :slight_smile: