Auto sign-in to an embedded Kibana dashboard iframe

What I Want to Achieve

I pasted a Kibana dashboard’s iframe code in my webapp, which works fine. I’m trying to skip the sign-in screen.

What I Tried

Since I already have the user’s credentials in memory, I figured an AJAX call to /api/v1/auth/login before loading the embedded dashboard should set the appropriate cookie and skip the sign-in screen.

The issue is, Kibana will only accept the request if it has a kbn-version header. But if I add a kbn-version header to the AJAX request, the pre-flight OPTIONS request fails with:

“CORS error: Some headers are not allowed”

I have tried adding kbn-version to some Hapi configuration settings such as server.cors.additionalHeaders, server.cors.headers, server.cors.exposedHeaders, and server.cors.additionalExposedHeaders but none of them seem to work.

This is my custom-kibana.yml file:

$ cat custom-kibana.yml 
---
# Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: "0"
server.cors : true
server.cors.origin: ['*']
server.cors.additionalHeaders: ['kbn-xsrf', 'kbn-version']
server.cors.headers: ["accept", "authorization", "content-type", "if-none-match", "origin", "kbn-xsrf", "kbn-version"]
server.cors.exposedHeaders: ["accept", "authorization", "content-type", "if-none-match", "origin", "kbn-xsrf", "kbn-version"]
server.cors.additionalExposedHeaders: ['kbn-xsrf', 'kbn-version']
# server.ssl.enabled: true
# server.ssl.key: kibana.pem
# server.ssl.certificate: kibana-key.pem
elasticsearch.url: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: <pw>
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

My Question

How do I skip the sign-in screen, either by solving the issue I encountered or in any other way.

Hello yigal!

Please did you achieve skiping the sign-in screen on embedded Kibana dashboard iframe?

Im also interested in this, does anyhone have a solution?

@yigal, @gferrette, @victor. Setting the CORS headers can be done on the server. Maybe some of these will work:

add_header ‘Access-Control-Allow-Origin’ “*” always;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS, DELETE, PUT, HEAD’;
add_header ‘Access-Control-Allow-Credentials’ ‘true’;
add_header ‘Access-Control-Allow-Headers’ 'DNT, If-Modified-Since, Cache-Control, Range, User-Agent,Keep-Alive,Content-Type, kbn-version, kbn-xsrf, Origin, X-Requested-With,Accept, Engaged-Auth-Token, Content-Length, Authorizati$ add_header ‘Access-Control-Expose-Headers’ ‘Content-Security-Policy, Location, Content-Length, Content-Range’;

This can also be done with Nginx and basic authentication. The username: password needs to be converted into base64 with a colon between them. Converting the name “username” and the password “password” on this website https://www.base64encode.org/ will return dXNlbmFtZTpwYXNzd29yZA==. Every time a user visits Kibana it will send the Authorization header with the credentials. The code is:

server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:5601;
proxy_set_header Authorization “Basic dXNlbmFtZTpwYXNzd29yZA==” ;
}

I could able to login but cookies are not getting set and the subsequent calls are getting failed.
Can someone please help

The browsers may block third-party cookies from different domains. Are the Kibana dashboard and the website from which the login requests are sent on the same domain?

I’m using OpenSearch dashboard version 2.13 and created nginx proxy to make it same domain

Its working after allowing third party cookies from proxy server. Thank you