Jwt authentication stopped working after update

Security
#1

Seems that kibana stopped passing the Authorization token to elasticsearch after updating to 1.13.0.

  • The JWT token works if I query elasticsearch directly
  • When I try to sign in passing the token as parameter (same as previous version) I get {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}
    https://.co.za/kibana/app/kibana?Authorization=
    I also tried https://.co.za/kibana/app/kibana?jwtparam=
  • I can’t see an error in the logs on elasticsearch

Authentication - {
“signing_key”: “”,
“jwt_header”: “Authorization”,
“jwt_url_parameter”: “jwtparam”,
“roles_key”: “roles”,
“subject_key”: “sub”
}

kibana.yaml

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.enable_filter: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: true
opendistro_security.session.keepalive: true
csp.strict: false
opendistro_security.cookie.secure: true
opendistro_security.cookie.password: “{KIBANA_COOKIE_PWD}" opendistro_security.jwt.enabled: true opendistro_security.auth.type: "{AUTH_TYPE}”

Additional config

elasticsearch.requestHeadersWhitelist:

  • securitytenant
  • authorization
  • Authorization
  • jwtparam
    server.basePath: ${BASEPATH}
#2

so update the “jwt_url_parameter”: “jwtparam” does not work and I changed it to null
if I now sign in with https://.co.za/kibana/app/kibana?authorization= it works the difference being the A changed to a

ps. basic auth and jwt auth now works on the same server

#3

the jwt url parameter is controlled by the opendistro_security.jwt.url_param config, which default to authorization, I believe that is why it works for you when you use authorization in the url parameter. You can customize it using the config item mentioned above

Please note that the jwt_url_parameter is a config of Elasticsearch, which Kibana is not aware of. Kibana always set the token into Authorization header when querying Elasticsearch

#4

Thanks for clearing that up, in an older version jwt_url_parameter was to specify which parameter kibana would send to elasticsearch so I would use url.com/?jwttoken=xyz1234 then kibana would change jwttoken as header Authorization=Bearer xyz1234 when making calls to elasticsearch, it then got updated in 1.9.0.0 so that you had to use Authorization as the parameter (jwt_url_parameter: ‘jwttoken’ didn’t work anymore) and with the latest 1.13.0.0 the parameter changed to url.com/?authorization=xyz1234