Kibana behind GCP Identity Aware Proxy

(Alessandro De Maria) #1

Hi Simone,

do you have a complete example of how to integrate Kibana behind Google Identity Aware Proxy?

I tried to configure the JWT section to fit IAP Docs but:

  1. Their ES256 algorithm seems unsupported ([ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] ES256 KeyFactory not available )
  2. They seem to provide multiple signatures, not one.
  3. They don’t seem to documents where their scopes would come from.

Is anybody else using it? Or is anybody else using any other approach?

Using the latest plugin with 5.6.9.

A working example would be great.


(Simone Scarduzio) #2

Hello Alessandro,

I reproduced this bug and working with people from jjwt library to find the best solution. Will update.

(Alessandro De Maria) #3

as an update, when testing it appears as if IAP is using different settings than what it is in the documentation.

The actual header seems to be: GCP_IAAP_AUTH_TOKEN
The actual alg seems to be RS256

I wonder if the documentation is incorrect or I am doing something else wrong.

(Simone Scarduzio) #4

That’s interesting. Maybe google cloud folks can comment on this?

(Alessandro De Maria) #5

Sure, I will let you know.

(Alessandro De Maria) #6

I think my comment on GCP_IAAP_AUTH_TOKEN was a red herring.

Did you hear back re: ES256?

(Alessandro De Maria) #7

This issue suggests the signature itself is supported?

(Simone Scarduzio) #8

No but I’m trying to make this work, do you have an example ES256 private key in the format given out by google cloud?

(Alessandro De Maria) #9

Wouldn’t you need the public key, like in the list provided by the link on point 2 above? If not I’ll try later from my laptop.

(Simone Scarduzio) #10

ideally a private and public, to create and validate the token in the unit tests. But also a token and its public key will do.