Open n0othing opened 1 year ago
Pinging @elastic/kibana-presentation (Team:Presentation)
I think we should be able to remove from the wms_client
module the node-fetch
import as fetch
is globally available in all evergreen browsers. I think we included node-fetch
originally as a polyfill to patch IE11 which did not support fetch
. We dropped support for IE11 a few years ago. Also node-fetch
seems to be intended as a server-side library anyways, so it may not make sense to include it in client-side code.
However, I don't know that dropping the node-fetch
import in favor of the Browser fetch
API will resolve the issue. Maybe the @elastic/kibana-security team can offer more guidance?
Subsequent calls to the WMS endpoint don't propagate the cookie received in step 4, so the workflow restarts until the browser throws ERR_TOO_MANY_REDIRECTS.
Warning: I know next to nothing about WMS, map layers, etc.
Are we expecting that following the SAML auth flow, Kibana (client side) will make a request to this third-party WMS endpoint, to retrieve ✨map stuff
✨, and then use that response within the Maps editor/visualization?
If so, then I agree with @nickpeihl that swapping node-fetch
for fetch
is unlikely to help you. You are essentially looking for the WMS service to issue you a cookie that can be sent in a cross-origin fashion. Similar to what we ask our users to do when embedding Kibana into another page, I believe that you'd need the service issuing the cookie to specify SameSite=None
within the Set-Cookie
header value: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value
Describe the feature:
Today Kibana Maps doesn't have the ability to customize/propagate HTTP headers for outgoing layer requests. For a scenario where the WMS endpoint is protected by SAML, the workflow would look like this:
https://hostname/ows?service=WMS&version=1.3.0&request=GetCapabilities
.302
Redirect to SAML Authorization Service.302
Redirect to SAML Authorization Service.302
Redirect tohttps://hostname/ows?service=WMS&version=1.3.0&request=GetCapabilities
andSet-Cookie
header that contains the SAML token.302
Redirect back tohttps://hostname/ows?service=WMS&version=1.3.0&request=GetCapabilities
.Subsequent calls to the WMS endpoint don't propagate the cookie received in step 4, so the workflow restarts until the browser throws
ERR_TOO_MANY_REDIRECTS
.It'd be helpful if we had the ability to customize what headers are passed to layer endpoints to meet this use case.
Describe a specific use case for the feature:
WMS endpoint protected by SAML auth.