I think authentication is applicable both to GUI based usage & API based usage.
- For Kibana GUI, the canonical way would be to trigger authorization code flow to authenticate the user, and pass the acquired access token to ElasticSearch API as a bearer token. Token refresh for longer sessions would need to be managed as well.
- For ElasticSearch API, the access token should be verified. Usually this is passed as a bearer token. The token could come from Kibana, or from API user who acquired it using one of the standard flows.
Standard defines the access token opaque, in practice the token may be a JWT in which case there’s no need to contact the IdP for introspection as it can be verified cryptographically. If token is not JWT, it needs to be passed to IdP introspection API. The token type depends on the issuing IdP.
In OIDC, access token can be used to get a JWT known as ID token, which contains then the actual user information, and quite often additional claims like groups.