JWT authentication: kibana rejects valid tokens after session expiry

I’ve created an issue in the kibana repo. I suspect there is a edge case where the kibana cookies conflict and take precedence over valid JWT tokens.


1 Like

Guys, I have the same issue. Please look at it, because it is not convenient to restart kibana every time…

Has anyone found a solution to this? I’m encountering the issue too.

I tried increasing the session timeout in the kibana.yml file but that doesnt work either, issue still happens after 1 hour. (Its becoming a blocker preventing us releasing into production)


I finally figured out a solution to this issue - If u remove the basic manual login auth properties from the security yaml file, then elasticsearch won’t start up correctly so u have to leave it in, but by default in the yaml file they put it first and when u enable jwt after an hour that jwt/session timeout occurs.

This isnt documented anywhere and I just found it by pure chance messing around with the yaml file - if u move the jwt properties to before the basic auth properties in the file, the issue actually goes away and everything works fine even after an hour. It seems it was applying the session timeout from the basic auth to the jwt login when the file was in the default order - which does seem like a bug and it wasnt documented changing the order would make any difference.