What responses for kibana js requests would make it close the GUI when proxy based authentication is enabled

shubha02 · September 2, 2020, 12:21pm

Kibana session doesn’t expired properly when proxy base authentication is enabled as searchguard has no control over the session, referring to older discussion

Blockquote
Kibana session doesn't expire in a expected time when proxy based authentication is enabled
Blockquote

Could you please help us that , is it possible to know what responses for kibana js requests would make it close the GUI and redirect to the login page (if ever possible), or at least close with a message to relogin-manually.

Thanks.
Subhashree

srgbnd · September 2, 2020, 9:02pm

There is no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented. There are some hacks but they are not reliable.

To expire sessions, use one of our authentication modes: basic, OpenID, SAML, etc. https://docs.search-guard.com/latest/kibana-authentication-http-basic

srgbnd · September 2, 2020, 9:03pm

What is your use-case? Where do you store the user accounts?

shubha02 · September 3, 2020, 8:58am

our usercase is as below ,
We use proxy-based authentication where ingress is used as proxy which does the authentication and redirects to kibana with user details in the header. In our case, if the kibana session is open for too long time and when the session expires, we get the error related to bundle js when try to do some action(like a filter).
And in this case user will be unaware of the error & will be confused.
posting the screenshot here.

Instead of this as a solution to this problem , is it possible to send certain respoanse code from proxy ,so that can kibana close with a message like ex. “session expired re-login manually” ?

srgbnd · September 3, 2020, 10:24am

Where do you store the user accounts? What version of SG do you use?

shubha02 · September 3, 2020, 12:25pm

Hi ,
We use keycloak for storing the user accounts & nginx ingress as the proxy.
Searchguard version used is : 7.8.0-43.0.0.

srgbnd · September 4, 2020, 9:43pm

A possible solution could be redirecting the user whose session is expired to some URL. I will raise this question internally and we shall see what can be done.

Given you have already Keycloack, you can setup OpenID connect authentication as a solution.

shubha02 · September 7, 2020, 11:40am

Hi , Thanks for the above response.
The second point “setup OpenID connect authentication as a solution” would not be valid for our use-case.
We would like to wait for the solution mentioned on the first point ,“A possible solution could be redirecting the user whose session is expired to some URL”.