We would like to use ROR PRO in our use case but need to confirm that we can pass a JWT token when using ROR together with Kibana. I have read both the ES and Kibana docs, and only see reference to JWT being used with ES directly.
I also have the same question regarding using the External Basic Auth module of ROR too.
In the current version of ROR Enterprise and PRO for Kibana:
There is no issue in using External Basic Auth. That’s because Kibana won’t know anything about ES will validate the HTTP Basic Auth credentials internally or externally.
Regarding the JWT: the credentials are now extracted and hashed in a specific endpoint used by our login form:
POST /login
{
"username": "..." ,
"password": "..."
}
But it’s quite easy to add this feature (pretty nice feature to have BTW), we can make it work during your trial period, which we can extend if necessary.
Which will check the signature in the JWT using a shared secret (configured in kibana.yml) and set the encrypted cookie associated to the session.
From this moment the user name found in the JWT claims might simply travel in the X-Forwarded-User header all the way to Elasticsearch which will be configured with proxy_auth rule as described in the docs.
And yes we can make the parameter name configurable.
If the browser hits /logout (no query params needed) the Kibana server will delete all the session cookies.
In addition to this, there is a custom logout link feature that could be used to navigate the browser to the logout page of whatever external authentication system.
Thanks
I’ll take a look now… do I need to supply the rorCookie in the request header for this to work?
I am using ROR to authenticate via JWT and then embedding Kibana dashboards. This works great, however, the cookie is associated with the subdomain that the Kibana instance is behind. So when I issue a /logout, from the parent (main application), the cookie is not present in the request header :-/
Sure, I can make a GET request to http(s)://<your_kibana_url>:5601/logout, but I have to make the request from the application that embeds the Kibana dashboard.
When a user clicks ‘logout’ in our applications menu (not Kibana), I am issuing a GET request to…
http(s)://<your_kibana_url>:5601/logout
However, that request doesn’t have the the rorCookie available to it to send in the request headers. Are you saying the rorCookie doesn’t need to be sent along with the request? If so, how does ROR know which session to end?
the rorCookie needs to be deleted somehow. If you find a way to do it from client side, ok. Otherwise an AJAX call to the ROR endpoint /logout should correctly instruct the browser to delete it.
I have an Express application that displays Kibana Dashboards inside an iFrame. Access to the dashboards is controlled by using the ROR plugin.
We log the user in on their behalf which sets a cookie on our-elk-stack.domain.com. The application is on a different subdomain: expressapp.domain.com.
When a users clicks ‘logout’ in our Express app’s menu, I need to send an AJAX request to our-elk-stack.domain.com:5601/logout in order to properly end the session. For this to work, the request must contain the rorCookie as a request header, otherwise ROR won’t know what session to end.
The cookie that ROR sets on the browser, sets the domain to our-elk-stack.domain.com, which means it is inaccessible from expressapp.domain.com. As such, I am unable to obtain and pass the rorCookie into the request headers when calling the logout endpoint.
How would you suggest this is handled? Can we change the domain when setting the rorCookie?