Automatic login with JWT

I am unable to login to Kibana using JWT explained in this article and this thread.
My configurations are as follow:

docker-compose.yml

version: '3'
services:
  odfe-node1:
image: amazon/opendistro-for-elasticsearch:1.2.0
container_name: odfe-node1
environment:
  - cluster.name=odfe-cluster
  - node.name=odfe-node1
  - discovery.seed_hosts=odfe-node1,odfe-node2
  - cluster.initial_master_nodes=odfe-node1,odfe-node2
  - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
  - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
    hard: 65536
volumes:
  - ./config/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
  - ./config/esnode.pem:/usr/share/elasticsearch/config/esnode.pem
  - ./config/esnode-key.pem:/usr/share/elasticsearch/config/esnode-key.pem
  - ./config/kirk.pem:/usr/share/elasticsearch/config/kirk.pem
  - ./config/kirk-key.pem:/usr/share/elasticsearch/config/kirk-key.pem
  - odfe-data1:/usr/share/elasticsearch/data
  - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  - ./security.config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml    
ports:
  - 9200:9200
  - 9600:9600 # required for Performance Analyzer
networks:
  - odfe-net
  odfe-node2:
image: amazon/opendistro-for-elasticsearch:1.2.0
container_name: odfe-node2
environment:
  - cluster.name=odfe-cluster
  - node.name=odfe-node2
  - discovery.seed_hosts=odfe-node1,odfe-node2
  - cluster.initial_master_nodes=odfe-node1,odfe-node2
  - bootstrap.memory_lock=true
  - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536
    hard: 65536
volumes:
  - ./config/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
  - ./config/esnode.pem:/usr/share/elasticsearch/config/esnode.pem
  - ./config/esnode-key.pem:/usr/share/elasticsearch/config/esnode-key.pem
  - ./config/kirk.pem:/usr/share/elasticsearch/config/kirk.pem
  - ./config/kirk-key.pem:/usr/share/elasticsearch/config/kirk-key.pem
  - odfe-data1:/usr/share/elasticsearch/data
  - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  - ./security.config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
networks:
  - odfe-net
  kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.2.0
container_name: odfe-kibana
ports:
  - 5601:5601
expose:
  - "5601"
environment:
  ELASTICSEARCH_URL: https://odfe-node1:9200
  ELASTICSEARCH_HOSTS: https://odfe-node1:9200
volumes:
  - ./kibana.yml:/usr/share/kibana/config/kibana.yml
networks:
  - odfe-net

volumes:
  odfe-data1:
  odfe-data2:

networks:
  odfe-net:

security.config.yml

jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “MTIzNDU2”
jwt_header: “Authorization”
roles_key: “rolesKey”
subject_key: “subjectKey”
authentication_backend:
type: noop

elasticsearch.yml

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

network.host: 0.0.0.0

kibana.yml

Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: “0”
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”,“jwtToken”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.jwt.enabled: true
opendistro_security.auth.type: “jwt”
opendistro_security.jwt.url_param: jwtToken

I generated a simple token with jwt.io:

{
“rolesKey”: “all_access”,
“subjectKey”: “admin”,
“exp”: 2553444112,
“iss”: “http://localhost
}

and secret base64 encoded which resulted in this token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlc0tleSI6ImFsbF9hY2Nlc3MiLCJzdWJqZWN0S2V5IjoiYWRtaW4iLCJleHAiOjI1NTM0NDQxMTIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.83Y2G1THwPgwZEmNrwxTvewuk3nxJKJg8x_IlkdYNeA

The Kibana shows Authentication failed, Please provide a new token. in the browser.
Checking

curl localhost:5601?jwtToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlc0tleSI6ImFsbF9hY2Nlc3MiLCJzdWJqZWN0S2V5IjoiYWRtaW4iLCJleHAiOjI1NTM0NDQxMTIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.83Y2G1THwPgwZEmNrwxTvewuk3nxJKJg8x_IlkdYNeA -i

gives

HTTP/1.1 302 Found

location: /customerror?type=authError
kbn-name: kibana
content-type: text/html; charset=utf-8
cache-control: no-cache
set-cookie: security_storage=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/
set-cookie: security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/
content-length: 0
connection: close
Date: Fri, 11 Oct 2019 08:34:17 GMT

And

curl -XGET http://localhost:5601 -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlc0tleSI6ImFsbF9hY2Nlc3MiLCJzdWJqZWN0S2V5IjoiYWRtaW4iLCJleHAiOjI1NTM0NDQxMTIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.83Y2G1THwPgwZEmNrwxTvewuk3nxJKJg8x_IlkdYNeA" -i

produces the same 302 result.

Is there any way I can get this working or are there maybe alternatives to automatically login to an embedded Kibana dashboard?