JWT with Kibana

Hi Simone

We would like to use ROR PRO in our use case but need to confirm that we can pass a JWT token when using ROR together with Kibana. I have read both the ES and Kibana docs, and only see reference to JWT being used with ES directly.

I also have the same question regarding using the External Basic Auth module of ROR too.

Are you able to advise?

Thanks - and keep up the great work.

Hello Paul,

In the current version of ROR Enterprise and PRO for Kibana:

  • There is no issue in using External Basic Auth. That’s because Kibana won’t know anything about ES will validate the HTTP Basic Auth credentials internally or externally.

  • Regarding the JWT: the credentials are now extracted and hashed in a specific endpoint used by our login form:

POST /login 
 "username": "..." ,
 "password": "..."

But it’s quite easy to add this feature (pretty nice feature to have BTW), we can make it work during your trial period, which we can extend if necessary.

Hi, that is great. Lets get started with the trial.

We are currently passing https://kibana_server:5601/?jwtparam=, will we be able to specify the parameter name?

1 Like

Yeah that should probably be better like:


Which will check the signature in the JWT using a shared secret (configured in kibana.yml) and set the encrypted cookie associated to the session.

From this moment the user name found in the JWT claims might simply travel in the X-Forwarded-User header all the way to Elasticsearch which will be configured with
proxy_auth rule as described in the docs.

And yes we can make the parameter name configurable.

Yeah let’s get this trial started :slight_smile:

Bit late to the party but what’s the correct approach for logging a user out programmatically?

https://kibana_server:5601/logout?jwtparam=XXX ???


Hi @ann0nc0d3r, welcome to the forum :slight_smile:

If the browser hits /logout (no query params needed) the Kibana server will delete all the session cookies.

In addition to this, there is a custom logout link feature that could be used to navigate the browser to the logout page of whatever external authentication system.

Thanks :slight_smile:
I’ll take a look now… do I need to supply the rorCookie in the request header for this to work?

I am using ROR to authenticate via JWT and then embedding Kibana dashboards. This works great, however, the cookie is associated with the subdomain that the Kibana instance is behind. So when I issue a /logout, from the parent (main application), the cookie is not present in the request header :-/

when I say /logout I mean:

Which has to be the same URL that set the cookie in the first place. How can there be a difference?


Sure, I can make a GET request to http(s)://<your_kibana_url>:5601/logout, but I have to make the request from the application that embeds the Kibana dashboard.

When a user clicks ‘logout’ in our applications menu (not Kibana), I am issuing a GET request to…


However, that request doesn’t have the the rorCookie available to it to send in the request headers. Are you saying the rorCookie doesn’t need to be sent along with the request? If so, how does ROR know which session to end?

the rorCookie needs to be deleted somehow. If you find a way to do it from client side, ok. Otherwise an AJAX call to the ROR endpoint /logout should correctly instruct the browser to delete it.

Thanks @sscarduzio

I think I need to be clearer…

I have an Express application that displays Kibana Dashboards inside an iFrame. Access to the dashboards is controlled by using the ROR plugin.

We log the user in on their behalf which sets a cookie on our-elk-stack.domain.com. The application is on a different subdomain: expressapp.domain.com.

When a users clicks ‘logout’ in our Express app’s menu, I need to send an AJAX request to our-elk-stack.domain.com:5601/logout in order to properly end the session. For this to work, the request must contain the rorCookie as a request header, otherwise ROR won’t know what session to end.

The cookie that ROR sets on the browser, sets the domain to our-elk-stack.domain.com, which means it is inaccessible from expressapp.domain.com. As such, I am unable to obtain and pass the rorCookie into the request headers when calling the logout endpoint.

How would you suggest this is handled? Can we change the domain when setting the rorCookie?

Create an 1px iframe with src=our-elk-stack.domain.com/logout

Interesting… I’ll give it a go. Thanks again.

1 Like

You absolute diamond! Thanks @sscarduzio, that worked like a charm :slight_smile:

1 Like