Improve authenticating via multiple browser contexts concurrently

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.82k stars 8.21k forks source link

Improve authenticating via multiple browser contexts concurrently #112549

Open legrego opened 3 years ago

legrego commented 3 years ago

Some of our SSO auth providers require creating an "unauthenticated session" within the sid cookie in order to complete the handshake.

When multiple Kibana frames are embedded within a single page (each using the same saml provider for example), they end up competing for this single sid cookie, thereby clobbering each other's session state. This results in failed authentication attempts.

It should be possible to embed multiple instances of Kibana within a single page, regardless of the authentication mechanism used (e.g. basic, token, saml, oidc, etc.).

elasticmachine commented 3 years ago

Pinging @elastic/kibana-security (Team:Security)

azasypkin commented 3 years ago

Thanks for filing this one! I agree, this sounds like a valid use case that we should cover.

The behavior we have today is intentional (I believe we even have tests for this), but we didn't consider multiple Kibana iframes in the same page at that time. The assumption was that users could end up in situation like that only when they open Kibana in multiple tabs and initiate SAML/OIDC login in all of them. Failing in such case is reasonable, but not for multiple iframes.

EdCSM commented 2 years ago

@azasypkin @legrego @jportner Any update? Customer asking if we are considering this on a future release.

azasypkin commented 2 years ago

@azasypkin @legrego @jportner Any update? Customer asking if we are considering this on a future release.

Unfortunately, there are no updates yet. I've just added this to the discussion agenda for our sync next week. I'll comment here once I have more details.

azasypkin commented 2 years ago

Quick update here: we included the task to investigate possible solutions for this issue in our "Next Sprints" backlog. We'll comment here once someone picks it up.

EdCSM commented 2 years ago

any insight would be appreciated @azasypkin @legrego @jportner

jportner commented 2 years ago

any insight would be appreciated @azasypkin @legrego @jportner

We haven't been able to address this yet due to some PTO on our team and a couple of high priority items that came in, but this is still in our "Next sprint" bucket.