"searchguard_authentication" cookie remains hanging in the browser

Hi,
When kibana UI is accessed through our application it opens in new tab it creates a cookie with name “searchguard_authentication”. when we are logging out and attempting a new login the browser will show a sign in pop up window (refer to the below screenshot) while opening kibana to the new tab.
The issue is that after logging out from the system the first time, the cookie “searchguard_authentication” remains hanging.
image1

Note : if we try to login to kibana directly (not via our application), then after logout kibana removes this cookie.

The problem is that the cookie is flagged as “HttpOnly” which means that is not searchable with angular / javascript and it is only visible in the browser.so we are unable to delete it.
which means that the cookie must not be flagged as “HttpOnly”.

The question is there any way out so that we could let kibana create a non-HttpOnly “searchguard_authentication” cookie so that we could access the cookie during logout and delete it off ?

Hi.

Note : if we try to login to kibana directly (not via our application), then after logout kibana removes this cookie.

Can you tell more about your application and the way it is integrated with Kibana, Elasticsearch, and Search Guard?

I need the following config files to better understand the issue: sg_config.yml, elasticsearch.yml, and kibana.yml. Don’t forget to obfuscate credentials!

Allowing non-HttpOnly cookies makes the system vulnerable to XSS attacks. https://owasp.org/www-community/HttpOnly A possible workaround might be introducing a new SG API endpoint to allow deleting cookies or credentials inside the cookie if the request is authenticated.

Hi @srgbnd
About the application - application web-client has a button and when it is clicked, browser opens Kibana in a new tab in the browser.this is how they are integrated. Normally Kibana does not ask for a second authentication, since the user is authenticated already with keycloak during login to application web-client.

Searchguard configmap as below:

  sg_config.yml: |-
    ---
    _sg_meta:
      type: "config"
      config_version: 2
    sg_config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '.+'

        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: "basic"
              challenge: false   # Set this to false when keycloak authentication is enabled
            authentication_backend:
              type: "intern"
          keycloak_auth_domain:
            http_enabled: true  # Set to true to enable keycloak authentication
            transport_enabled: true
            order: 1
            http_authenticator:
              type: keycloak
              challenge: false
              config:
                username_key: preferred_username
                roles_key: roles
                keycloak_connect_url: https://IP:port/auth/realms/master/.well-known/openid-configuration
                client_id: clientid
                client_secret: XXXX
            authentication_backend:
                type: noop
          proxy_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 3
            http_authenticator:
              type: "proxy"
              challenge: false
              config:
                user_header: "x-proxy-user"
                #roles_header: "x-proxy-roles"
            authentication_backend:
              type: "noop"
          clientcert_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 2
            http_authenticator:
              challenge: false
              type: "clientcert"
              config:
                username_attribute: "cn"
            authentication_backend:
              type: "noop"

Kibana configmap as below:

  kibana.yml: |-
    ---
    # Donot change sever name and host. This is default configuration.
    server.name: kibana
    server.customResponseHeaders: { "X-Frame-Options": "DENY" }
    csp.strict: true
    #Enable server.ssl.supportedProtocols when SG is enabled.
    #server.ssl.supportedProtocols: ["TLSv1.2"]
    #searchguard cookie can be secured by setting the below parameter to true. Uncomment it when SG is enabled.
    #searchguard.cookie.secure: true
    # Whitelist basic headers and multi tenancy header
    ##elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
    # uncomment below section for keycloak authentication and provide required correct parameters
    searchguard.auth.type: "openid"
    searchguard.openid.connect_url: "https://IP:port/auth/realms/master/.well-known/openid-configuration"
    searchguard.openid.client_id: "clientid"
    searchguard.openid.client_secret: "XXXX"
    searchguard.openid.header: "Authorization"
     ### for kibana service on ingress port is not required
    searchguard.openid.base_redirect_url: "https://IP:port"
     ### Do not change root_ca file path as this is the default mount path.
    searchguard.openid.root_ca: "/path/keycloak-root-ca.pem"
    searchguard.openid.verify_hostnames: false
	

Also can you provide little more details about this approach - A possible workaround might be introducing a new SG API endpoint to allow deleting cookies or credentials inside the cookie if the request is authenticated.

Please let me know in case you require more details from my end.
Thanks

Hi.
What version of Kibana do you use?

As far as I understand everything works if you use Kibana directly. But it doesn’t work as you expect when you open Kibana from your application. Right?

You expect the system to work in the following way (correct me if I’m wrong):

  1. A user visits your app.
  2. The user clicks a button.
  3. New tab is opened with Keycloak login page.
  4. The user submits credentials and is redirected to Kibana.
  5. The user logouts from Kibana.
  6. The user wants to access Kibana again. Go to step 1.

Hi @srgbnd

  1. Kibana version used - 7.8.0

  2. As far as I understand everything works if you use Kibana directly. But it doesn’t work as you expect when you open Kibana from your application. Right? <Yes , right>

  3. Also we expect the system to work in this way-

    1. A user visit the app.
    2. The user is redirected to keycloak, after successful authentication, our app loads.
    3. The user clicks a button , then Kibana UI opens in a new tab (no second keycloak authentication is needed)
    4. Then the user logs out.
    5. After attempting a second login, the user fails due to the “searchguard_authentication” cookie that remains hanging.(The prompt screen appeared is attached in the screen shot)
      why does this cookie remains hanging? because I should delete it during log out
      But we cannot delete it on our own because the cookie has HttpOnly = true.

Hi,

According to your sg_config you’re using “type:keycloak”. Is that what you have in your production node?

1 Like

How did you find that the cookie is not cleared? Looking at the code, I see that the SG authentication cookie is cleared in the first instruction in the logout route handler function, look


You can verify that the cookie was cleared if you put console.log(request.headers) before this line https://git.floragunn.com/search-guard/search-guard-kibana-plugin/-/blob/v7.8.0-42.0.0/lib/auth/types/AuthType.js#L202

Did you put the IP address of Keycloak or your application for searchguard.openid.base_redirect_url option?

Did the integration work before? If it worked before, what set of actions could cause the issue?

Enable debug in the Search Guard Kibana plugin and send the logs.
kibana.yml

searchguard.auth.debug: true

Also, send the Elasticsearch log, better with the JWT debug enabled
elasticsearch/config/log4j2.properties

logger.sg.name = com.floragunn.dlic.auth.http.jwt
logger.sg.level = trace

Hi @srgbnd

After logging out from our application , when visited the browser, we could see the cookie remain uncleared . please refer this screen shot.

As informed earlier ,the issue is not observed when we access kibana (Not through our application), the cookie gets deleted automatically during logout.

However, the problem we are facing with our application is that the cookie is flagged as “HttpOnly” which means that is not searchable with angular / javascript and it is only visible in the browser . Therefore, we are unable to delete it.

The question is there any way out so that we could let kibana create a non-HttpOnly “searchguard_authentication” cookie so that we could access the cookie during logout and delete it off ?

Will share the required logs soon once i have them.
Thanks