Skip Login page for kibana

Hi, @sscarduzio @ld57
How to skip the login screen for kibana , and pass the credentials through Basic Authentication during POST request?
Like I want to share an Iframe link of Dashboard and want the user to call it through his application…
So I dont want the login page to appear again and want to pass the credentials from previous app…
I am using LDAP.

This is interesting to me as well. At present I’ve disabled the Kibana plugin to avoid the login page when doing passthrough auth, but that doesn’t seem like the best solution.

You need the Kibana plugin, you should make an HTTP call to the Kibana POST /login endpoint (with username and password), obtain the cookie in the response header, and then inject the iframe code in the page.

The alternative is modifying the Kibana plugin for reading credentials from the query parameters in the iframe embed code, which a) is not handy because you should edit manually each Kibana embed code. And b) you’d be copy-pasting around credentials.

Another option would be to implement an ACL in the Kibana plugin too, which is something that me and @ld57 have been talking about recently. This would unlock: user-specific url redirects and public url passthrough (like this).

Hi simone, @sscarduzio
I am following this
"You need the Kibana plugin, you should make an HTTP call to the Kibana POST /login endpoint (with username and password), obtain the cookie in the response header, and then inject the iframe code in the page."

I’m trying to get the cookie in the response header but I got the error “Request must contain kbn-xsrf header”.
I’m doing a web service who calls a kibana iframe.
What can I do?

The required value for that header is the kibana version i.e. “6.1.1”

Simone I got this, but I have Internal server error.
What can I do with this?

OK that’s progress, do you see errors in the Kibana logs?

cannot read property ‘username’ @sscarduzio

TypeError: Uncaught error Cannot read property ‘username’ of null at login (/usr/share/kibana/plugins/readonlyrest_kbn/server/routes/lib/auth.js:6:956)

yeah it’s because you are not passing the credentials to the API. Pass “username” and “password” fields via HTTP POST.

Simone, I think this is my last question :see_no_evil:

We got the cookies (rorCookie and username), and now we’re trying to request the URL Iframe
but if we use GET it only appears “Loading Kibana” and If we use POST we come back to the login session.
If we send with the Url Iframe the cookies, headers and credentials, we got "status code: 404, error: ‘Not Found’.
What can we do now ?
And thanks for all, @sscarduzio .

can you do this test:

  1. get the embeddable graph URL
  2. Run your ajax that logs in and gets the cookie
  3. paste the embeddable graph url in the browser address bar and verify it works (without iframes)

Do this with the chrome dev tools open on the network tab, and see if some request ends up in error.
Also check the JS console tab for JS errors.

Hello. How can I " Run your ajax that logs in and gets the cookie"? I am trying but something is missing. Can you help me?
Thank you.

What i meant is you could write some client side javascript to send a POST request to http://kibana_url:5601/login passing username and password as multipart/form-data.
The response to this call will have a header that will set the necessary rorCookie in the browser. After the login AJAX request is successful, you could append the <iframe src="..kibana graph embed.."> where required in the DOM.
For example using jQuery:

$.post( "/login", { username: "John", password: "xyz123" })
  .done(function( data ) {
     $( "#graphEmbedWrapper" ).append( '<iframe src="kibana_embed_graph" />' );

Something like that (I didn’t try the code myself).

I am trying to do a simple curl, but never skips the login of kibana, I never got the cookie in response.

curl -X POST
-H ‘Authorization: Basic dXNlcjE6dXNlcjE=’
-H ‘Content-Type: application/x-www-form-urlencoded’
-H ‘kbn-xsrf: reporting’

I am using the basic authentication. Is it correct?

Thank you,

No no, that’s the thing: the login page does not use basic auth, but a form submission!
In cURL terms, it would be -X POST --data 'username=francisca&password=xyz123'

Sorry, but it is still not working. Like this?

curl -X POST -H ‘kbn-xsrf: 6.5.4’ -H ‘kbn-version: 6.5.4’ --data ‘username=user1&password=user1’

Nothing more? This is always answering the login form of ReadOnlyRest.

This is my cURL that works:

12:20:35 [email protected]:~ $ cat  /tmp/x
curl -vvv  'http://localhost:5601/mzp/login'  \
-H 'kbn-xsrf: 6.5.4' \
-H 'kbn-version: 6.5.4' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'  \
-H 'Accept: application/json, text/javascript, */*; q=0.01'  \
-H 'Connection: keep-alive' \
--data 'username=rw&password=dev'

Testing it. See the cookie in the response headers!

12:20:33 [email protected]:~ $ bash /tmp/x
*   Trying ::1...
* Connection failed
* connect to ::1 port 5601 failed: Connection refused
*   Trying
* Connected to localhost ( port 5601 (#0)
> POST /mzp/login HTTP/1.1
> Host: localhost:5601
> User-Agent: curl/7.54.0
> kbn-xsrf: 6.5.4
> kbn-version: 6.5.4
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Accept: application/json, text/javascript, */*; q=0.01
> Connection: keep-alive
> Content-Length: 24
* upload completely sent off: 24 out of 24 bytes
< HTTP/1.1 200 OK
< kbn-name: kibana
< kbn-xpack-sig: 5d98357d7f01b8b492b6abfe53bde54b
< vary: origin
< content-type: text/html; charset=utf-8
< set-cookie: rorCookie=Fe26.2**2184876ca568aef3d8530f2716ac499983530be5d8023a1b79f4634187ce0649*Lcs8vEGfnccEngO-PmPvnQ*3kfI9sqoWH-qR5NKBhMQrPi9gq-hQQ7TQHCC1Bjdm9iuS4iI-9vr9G9WxM6eL2Y5Ni_l8mBUZiPj4T2EJ4frMY039T4ls14DC9GiYey9GmUM5MfPf1t65W9VjN710VRKP32qHFeSpIkRzHJ2-BUZYbpSGo55MbV5ps72XXhxZ9Y1ZQ9HSqVP9H8X45BDYWK0vnvi7eCt1AiomDzLqagG663Hpc6dDDknDNpjX3t0OtieCPsbldqnc4xA81eGzm4kE4BAUHE1IsgniMaXTsH_2HvkPdI9revGv73atC1kYBQldbaN-WUO1xzAE3m7aTpAYZkIyhYMmcjle2gF5BCc8x1ktmHfZ0yUQTY9gIn1Dg4A_0Vg21fKM9_BJzr3Bl6wQInEQtb-hj8p0fNZ_VFVambz1yBBLVwKJja460CDNThBFWofuDfgUqzet-CzCA1vpwXKR1Zd0C6X9A2Xh8kG-nnYEY9Pxf12SGmXykon3YRr6QIzi9HoRU9fF3MUWSfxPCk9fh9OK08DudFPqIlGKoAlFcqK6gYgH4DJBfgkFadZaUTULPY3GfxVfv1gVFcS_pHik7uTFQz8nVAmTuLckdtysW42Ezuip3uXOQRneNustidFlevW4KIGtu6Gum6yJLkheeLyeiI2p9C_zfP_cA**e3da98b0068a09e212fb334212a8d89f712647d6051e894817a8a2f449bca0fe*3iIOOTnMzQNxYhJRWZ6SmTpbtZduZWvd9KzmMoVLDOY; Max-Age=259210; Expires=Sun, 10 Feb 2019 12:20:45 GMT; HttpOnly; Path=/
< cache-control: no-cache
< content-length: 44
< date: Thu, 07 Feb 2019 12:20:35 GMT
< Connection: keep-alive
* Connection #0 to host localhost left intact
<script> window.location = '/mzp/' </script>

Thank you!
Do you have any example of the GET request using the POST cookie? I am trying but no success yet, probably I am missing something.
Post request:

var data = “username=kibana&password=kibana”;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
});“POST”, “”);
xhr.setRequestHeader(“kbn-xsrf”, “6.5.4”);
xhr.setRequestHeader(“kbn-version”, “6.5.4”);
xhr.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded; charset=UTF-8”);
xhr.setRequestHeader(“Accept”, “application/json, text/javascript, /; q=0.01”);
xhr.setRequestHeader(“Connection”, “keep-alive”);


And GET request:

var data2 = null;

var xhr2 = new XMLHttpRequest();
xhr2.withCredentials = true;

xhr2.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
});“GET”, “!f%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-7d%2Cmode%3Aquick%2Cto%3Anow))”);
xhr2.setRequestHeader(“set-cookie”, xhr.getResponseHeader(‘set-cookie’));
xhr2.setRequestHeader(“kbn-xsrf”, “6.5.4”);
xhr2.setRequestHeader(“kbn-version”, “6.5.4”);
xhr2.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded; charset=UTF-8”);
xhr2.setRequestHeader(“Accept”, “application/json, text/javascript, /; q=0.01”);
xhr2.setRequestHeader(“Connection”, “keep-alive”);


Could you help me?
Thank you once again!

AFAIK when a server responds with a set cookie header, it will be saved by the browser and used in the subsequent requests towards the same server. So no need to explicitly set it in your requests.

Once the cookie is set after you do the AJAX post, you should be able to embed the iframe like you would normally do without authentication.

Careful though, first you do the AJAX post with the credentials. After the cookie is set, you modify the DOM by adding the kibana graph iframe DOM element via javascript.

Thank you so much for the help and I am sorry for insisting…

My code is:

<div id="graphEmbedWrapper"></div>
<iframe name="middle"  id="middle" noresize frameborder="0" marginwidth="0" marginheight="0" width="100%" height="238" scrolling="auto"></iframe>
<script src=""></script>
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "",
  "method": "POST",
  "headers": {
    "kbn-xsrf": "6.5.4",
    "kbn-version": "6.5.4",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Connection": "keep-alive",
    "cache-control": "no-cache",
    "Postman-Token": "f20d6d57-8db3-4c5d-98d0-58dd9692484f"
  "data": "username=kibana&password=kibana"
$.ajax(settings).done(function (data) {
 $( "#graphEmbedWrapper" ).append('<iframe height="600" width="800" src="!t%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-7d%2Cmode%3Aquick%2Cto%3Anow))"></iframe>');

The weird thing is: when I run this, the iframe appears trying to load the kibana, however, a few seconds after, a new tab opens with and then closes the previous windows (where was the iframe). Is this some property that I should define?

Thank you once again!