"searchguard_authentication" cookie remains hanging in the browser

Hi @srgbnd
About the application - application web-client has a button and when it is clicked, browser opens Kibana in a new tab in the browser.this is how they are integrated. Normally Kibana does not ask for a second authentication, since the user is authenticated already with keycloak during login to application web-client.

Searchguard configmap as below:

  sg_config.yml: |-
    ---
    _sg_meta:
      type: "config"
      config_version: 2
    sg_config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '.+'

        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: "basic"
              challenge: false   # Set this to false when keycloak authentication is enabled
            authentication_backend:
              type: "intern"
          keycloak_auth_domain:
            http_enabled: true  # Set to true to enable keycloak authentication
            transport_enabled: true
            order: 1
            http_authenticator:
              type: keycloak
              challenge: false
              config:
                username_key: preferred_username
                roles_key: roles
                keycloak_connect_url: https://IP:port/auth/realms/master/.well-known/openid-configuration
                client_id: clientid
                client_secret: XXXX
            authentication_backend:
                type: noop
          proxy_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 3
            http_authenticator:
              type: "proxy"
              challenge: false
              config:
                user_header: "x-proxy-user"
                #roles_header: "x-proxy-roles"
            authentication_backend:
              type: "noop"
          clientcert_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 2
            http_authenticator:
              challenge: false
              type: "clientcert"
              config:
                username_attribute: "cn"
            authentication_backend:
              type: "noop"

Kibana configmap as below:

  kibana.yml: |-
    ---
    # Donot change sever name and host. This is default configuration.
    server.name: kibana
    server.customResponseHeaders: { "X-Frame-Options": "DENY" }
    csp.strict: true
    #Enable server.ssl.supportedProtocols when SG is enabled.
    #server.ssl.supportedProtocols: ["TLSv1.2"]
    #searchguard cookie can be secured by setting the below parameter to true. Uncomment it when SG is enabled.
    #searchguard.cookie.secure: true
    # Whitelist basic headers and multi tenancy header
    ##elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
    # uncomment below section for keycloak authentication and provide required correct parameters
    searchguard.auth.type: "openid"
    searchguard.openid.connect_url: "https://IP:port/auth/realms/master/.well-known/openid-configuration"
    searchguard.openid.client_id: "clientid"
    searchguard.openid.client_secret: "XXXX"
    searchguard.openid.header: "Authorization"
     ### for kibana service on ingress port is not required
    searchguard.openid.base_redirect_url: "https://IP:port"
     ### Do not change root_ca file path as this is the default mount path.
    searchguard.openid.root_ca: "/path/keycloak-root-ca.pem"
    searchguard.openid.verify_hostnames: false
	

Also can you provide little more details about this approach - A possible workaround might be introducing a new SG API endpoint to allow deleting cookies or credentials inside the cookie if the request is authenticated.

Please let me know in case you require more details from my end.
Thanks