JWT param not working on embedded iframe?

Hi, I’m authenticating to searchguard using JWT. Now, when I hit a URL like


Then it actually works, and I seem to be properly authenticated to Kibana. Yay!

However, when I try to embed a dashboard as an iFrame in my site, I also add the jwtparam field to my request, however, the request now takes the following shape:


And this tells me that my token is invalid! Boo.

So basically, my jwt token is refused when sent as a parameter to the dashboard. Is this expected behaviour? Is there some kind of workaround? I’m simply trying to embed a dashboard in my site without triggering an obvious sign-on process. Seems like embedding the token in the iFrame’s URL is the way, but I could stick it in the Auth header - or is there something I’m missing?

I should add:

Kibana: 6.4.2-17

Elasticsearch: 6.4.2-23.2

Help with this would be greatly appreciated!

Any guidance on this would be great - does the following link apply to my question too?


Seems to do the trick! So I just had to put the jwtparam on the app/kibana section of the URL, now auth is apparently fine!

It seems I got lucky as all hell?