Hi,
When kibana UI is accessed through our application it opens in new tab it creates a cookie with name “searchguard_authentication”. when we are logging out and attempting a new login the browser will show a sign in pop up window (refer to the below screenshot) while opening kibana to the new tab.
The issue is that after logging out from the system the first time, the cookie “searchguard_authentication” remains hanging.
Note : if we try to login to kibana directly (not via our application), then after logout kibana removes this cookie.
The problem is that the cookie is flagged as “HttpOnly” which means that is not searchable with angular / javascript and it is only visible in the browser.so we are unable to delete it.
which means that the cookie must not be flagged as “HttpOnly”.
The question is there any way out so that we could let kibana create a non-HttpOnly “searchguard_authentication” cookie so that we could access the cookie during logout and delete it off ?
Note : if we try to login to kibana directly (not via our application), then after logout kibana removes this cookie.
Can you tell more about your application and the way it is integrated with Kibana, Elasticsearch, and Search Guard?
I need the following config files to better understand the issue: sg_config.yml, elasticsearch.yml, and kibana.yml. Don’t forget to obfuscate credentials!
Allowing non-HttpOnly cookies makes the system vulnerable to XSS attacks. HttpOnly | OWASP Foundation A possible workaround might be introducing a new SG API endpoint to allow deleting cookies or credentials inside the cookie if the request is authenticated.
Hi @srgbnd
About the application - application web-client has a button and when it is clicked, browser opens Kibana in a new tab in the browser.this is how they are integrated. Normally Kibana does not ask for a second authentication, since the user is authenticated already with keycloak during login to application web-client.
kibana.yml: |-
---
# Donot change sever name and host. This is default configuration.
server.name: kibana
server.customResponseHeaders: { "X-Frame-Options": "DENY" }
csp.strict: true
#Enable server.ssl.supportedProtocols when SG is enabled.
#server.ssl.supportedProtocols: ["TLSv1.2"]
#searchguard cookie can be secured by setting the below parameter to true. Uncomment it when SG is enabled.
#searchguard.cookie.secure: true
# Whitelist basic headers and multi tenancy header
##elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
# uncomment below section for keycloak authentication and provide required correct parameters
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "https://IP:port/auth/realms/master/.well-known/openid-configuration"
searchguard.openid.client_id: "clientid"
searchguard.openid.client_secret: "XXXX"
searchguard.openid.header: "Authorization"
### for kibana service on ingress port is not required
searchguard.openid.base_redirect_url: "https://IP:port"
### Do not change root_ca file path as this is the default mount path.
searchguard.openid.root_ca: "/path/keycloak-root-ca.pem"
searchguard.openid.verify_hostnames: false
Also can you provide little more details about this approach - A possible workaround might be introducing a new SG API endpoint to allow deleting cookies or credentials inside the cookie if the request is authenticated.
Please let me know in case you require more details from my end.
Thanks
As far as I understand everything works if you use Kibana directly. But it doesn’t work as you expect when you open Kibana from your application. Right?
You expect the system to work in the following way (correct me if I’m wrong):
A user visits your app.
The user clicks a button.
New tab is opened with Keycloak login page.
The user submits credentials and is redirected to Kibana.
The user logouts from Kibana.
The user wants to access Kibana again. Go to step 1.
As far as I understand everything works if you use Kibana directly. But it doesn’t work as you expect when you open Kibana from your application. Right? <Yes , right>
Also we expect the system to work in this way-
A user visit the app.
The user is redirected to keycloak, after successful authentication, our app loads.
The user clicks a button , then Kibana UI opens in a new tab (no second keycloak authentication is needed)
Then the user logs out.
After attempting a second login, the user fails due to the “searchguard_authentication” cookie that remains hanging.(The prompt screen appeared is attached in the screen shot)
why does this cookie remains hanging? because I should delete it during log out
But we cannot delete it on our own because the cookie has HttpOnly = true.
How did you find that the cookie is not cleared? Looking at the code, I see that the SG authentication cookie is cleared in the first instruction in the logout route handler function, look
As informed earlier ,the issue is not observed when we access kibana (Not through our application), the cookie gets deleted automatically during logout.
However, the problem we are facing with our application is that the cookie is flagged as “HttpOnly” which means that is not searchable with angular / javascript and it is only visible in the browser . Therefore, we are unable to delete it.
The question is there any way out so that we could let kibana create a non-HttpOnly “searchguard_authentication” cookie so that we could access the cookie during logout and delete it off ?
Will share the required logs soon once i have them.
Thanks
