Skip Login page for kibana

(Simone Scarduzio) #5

The required value for that header is the kibana version i.e. “6.1.1”


Simone I got this, but I have Internal server error.
What can I do with this?

(Simone Scarduzio) #7

OK that’s progress, do you see errors in the Kibana logs?


cannot read property ‘username’ @sscarduzio

TypeError: Uncaught error Cannot read property ‘username’ of null at login (/usr/share/kibana/plugins/readonlyrest_kbn/server/routes/lib/auth.js:6:956)

(Simone Scarduzio) #9

yeah it’s because you are not passing the credentials to the API. Pass “username” and “password” fields via HTTP POST.


Simone, I think this is my last question :see_no_evil:

We got the cookies (rorCookie and username), and now we’re trying to request the URL Iframe
but if we use GET it only appears “Loading Kibana” and If we use POST we come back to the login session.
If we send with the Url Iframe the cookies, headers and credentials, we got "status code: 404, error: ‘Not Found’.
What can we do now ?
And thanks for all, @sscarduzio .

(Simone Scarduzio) #11

can you do this test:

  1. get the embeddable graph URL
  2. Run your ajax that logs in and gets the cookie
  3. paste the embeddable graph url in the browser address bar and verify it works (without iframes)

Do this with the chrome dev tools open on the network tab, and see if some request ends up in error.
Also check the JS console tab for JS errors.

(francisca) #12

Hello. How can I " Run your ajax that logs in and gets the cookie"? I am trying but something is missing. Can you help me?
Thank you.

(Simone Scarduzio) #13

What i meant is you could write some client side javascript to send a POST request to http://kibana_url:5601/login passing username and password as multipart/form-data.
The response to this call will have a header that will set the necessary rorCookie in the browser. After the login AJAX request is successful, you could append the <iframe src="..kibana graph embed.."> where required in the DOM.
For example using jQuery:

$.post( "/login", { username: "John", password: "xyz123" })
  .done(function( data ) {
     $( "#graphEmbedWrapper" ).append( '<iframe src="kibana_embed_graph" />' );

Something like that (I didn’t try the code myself).

(francisca) #14

I am trying to do a simple curl, but never skips the login of kibana, I never got the cookie in response.

curl -X POST
-H ‘Authorization: Basic dXNlcjE6dXNlcjE=’
-H ‘Content-Type: application/x-www-form-urlencoded’
-H ‘kbn-xsrf: reporting’

I am using the basic authentication. Is it correct?

Thank you,

(Simone Scarduzio) #15

No no, that’s the thing: the login page does not use basic auth, but a form submission!
In cURL terms, it would be -X POST --data 'username=francisca&password=xyz123'

(francisca) #16

Sorry, but it is still not working. Like this?

curl -X POST -H ‘kbn-xsrf: 6.5.4’ -H ‘kbn-version: 6.5.4’ --data ‘username=user1&password=user1’

Nothing more? This is always answering the login form of ReadOnlyRest.

(Simone Scarduzio) #17

This is my cURL that works:

12:20:35 [email protected]:~ $ cat  /tmp/x
curl -vvv  'http://localhost:5601/mzp/login'  \
-H 'kbn-xsrf: 6.5.4' \
-H 'kbn-version: 6.5.4' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'  \
-H 'Accept: application/json, text/javascript, */*; q=0.01'  \
-H 'Connection: keep-alive' \
--data 'username=rw&password=dev'

Testing it. See the cookie in the response headers!

12:20:33 [email protected]:~ $ bash /tmp/x
*   Trying ::1...
* Connection failed
* connect to ::1 port 5601 failed: Connection refused
*   Trying
* Connected to localhost ( port 5601 (#0)
> POST /mzp/login HTTP/1.1
> Host: localhost:5601
> User-Agent: curl/7.54.0
> kbn-xsrf: 6.5.4
> kbn-version: 6.5.4
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Accept: application/json, text/javascript, */*; q=0.01
> Connection: keep-alive
> Content-Length: 24
* upload completely sent off: 24 out of 24 bytes
< HTTP/1.1 200 OK
< kbn-name: kibana
< kbn-xpack-sig: 5d98357d7f01b8b492b6abfe53bde54b
< vary: origin
< content-type: text/html; charset=utf-8
< set-cookie: rorCookie=Fe26.2**2184876ca568aef3d8530f2716ac499983530be5d8023a1b79f4634187ce0649*Lcs8vEGfnccEngO-PmPvnQ*3kfI9sqoWH-qR5NKBhMQrPi9gq-hQQ7TQHCC1Bjdm9iuS4iI-9vr9G9WxM6eL2Y5Ni_l8mBUZiPj4T2EJ4frMY039T4ls14DC9GiYey9GmUM5MfPf1t65W9VjN710VRKP32qHFeSpIkRzHJ2-BUZYbpSGo55MbV5ps72XXhxZ9Y1ZQ9HSqVP9H8X45BDYWK0vnvi7eCt1AiomDzLqagG663Hpc6dDDknDNpjX3t0OtieCPsbldqnc4xA81eGzm4kE4BAUHE1IsgniMaXTsH_2HvkPdI9revGv73atC1kYBQldbaN-WUO1xzAE3m7aTpAYZkIyhYMmcjle2gF5BCc8x1ktmHfZ0yUQTY9gIn1Dg4A_0Vg21fKM9_BJzr3Bl6wQInEQtb-hj8p0fNZ_VFVambz1yBBLVwKJja460CDNThBFWofuDfgUqzet-CzCA1vpwXKR1Zd0C6X9A2Xh8kG-nnYEY9Pxf12SGmXykon3YRr6QIzi9HoRU9fF3MUWSfxPCk9fh9OK08DudFPqIlGKoAlFcqK6gYgH4DJBfgkFadZaUTULPY3GfxVfv1gVFcS_pHik7uTFQz8nVAmTuLckdtysW42Ezuip3uXOQRneNustidFlevW4KIGtu6Gum6yJLkheeLyeiI2p9C_zfP_cA**e3da98b0068a09e212fb334212a8d89f712647d6051e894817a8a2f449bca0fe*3iIOOTnMzQNxYhJRWZ6SmTpbtZduZWvd9KzmMoVLDOY; Max-Age=259210; Expires=Sun, 10 Feb 2019 12:20:45 GMT; HttpOnly; Path=/
< cache-control: no-cache
< content-length: 44
< date: Thu, 07 Feb 2019 12:20:35 GMT
< Connection: keep-alive
* Connection #0 to host localhost left intact
<script> window.location = '/mzp/' </script>

(francisca) #18

Thank you!
Do you have any example of the GET request using the POST cookie? I am trying but no success yet, probably I am missing something.
Post request:

var data = “username=kibana&password=kibana”;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
});“POST”, “”);
xhr.setRequestHeader(“kbn-xsrf”, “6.5.4”);
xhr.setRequestHeader(“kbn-version”, “6.5.4”);
xhr.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded; charset=UTF-8”);
xhr.setRequestHeader(“Accept”, “application/json, text/javascript, /; q=0.01”);
xhr.setRequestHeader(“Connection”, “keep-alive”);


And GET request:

var data2 = null;

var xhr2 = new XMLHttpRequest();
xhr2.withCredentials = true;

xhr2.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
});“GET”, “!f%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-7d%2Cmode%3Aquick%2Cto%3Anow))”);
xhr2.setRequestHeader(“set-cookie”, xhr.getResponseHeader(‘set-cookie’));
xhr2.setRequestHeader(“kbn-xsrf”, “6.5.4”);
xhr2.setRequestHeader(“kbn-version”, “6.5.4”);
xhr2.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded; charset=UTF-8”);
xhr2.setRequestHeader(“Accept”, “application/json, text/javascript, /; q=0.01”);
xhr2.setRequestHeader(“Connection”, “keep-alive”);


Could you help me?
Thank you once again!

(Simone Scarduzio) #19

AFAIK when a server responds with a set cookie header, it will be saved by the browser and used in the subsequent requests towards the same server. So no need to explicitly set it in your requests.

Once the cookie is set after you do the AJAX post, you should be able to embed the iframe like you would normally do without authentication.

Careful though, first you do the AJAX post with the credentials. After the cookie is set, you modify the DOM by adding the kibana graph iframe DOM element via javascript.

(francisca) #20

Thank you so much for the help and I am sorry for insisting…

My code is:

<div id="graphEmbedWrapper"></div>
<iframe name="middle"  id="middle" noresize frameborder="0" marginwidth="0" marginheight="0" width="100%" height="238" scrolling="auto"></iframe>
<script src=""></script>
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "",
  "method": "POST",
  "headers": {
    "kbn-xsrf": "6.5.4",
    "kbn-version": "6.5.4",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Connection": "keep-alive",
    "cache-control": "no-cache",
    "Postman-Token": "f20d6d57-8db3-4c5d-98d0-58dd9692484f"
  "data": "username=kibana&password=kibana"
$.ajax(settings).done(function (data) {
 $( "#graphEmbedWrapper" ).append('<iframe height="600" width="800" src="!t%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-7d%2Cmode%3Aquick%2Cto%3Anow))"></iframe>');

The weird thing is: when I run this, the iframe appears trying to load the kibana, however, a few seconds after, a new tab opens with and then closes the previous windows (where was the iframe). Is this some property that I should define?

Thank you once again!

(francisca) #21

If I put in append a src like this, this page will open in the iframe as expected. But with a link to a dashboard, the weird thing happens. This is so strange.

(Simone Scarduzio) #22

Strange, are you able to open the dashboard link normally in another tab?

(francisca) #23

Yes, this never happened. When I put this link in an iframe and introduce manually the credentials, this does not happen.

(Simone Scarduzio) #24

Any logs in Kibana or ES?