[Maps] Ability to customize HTTP headers for layer requests

[n0othing]

Describe the feature:

Today Kibana Maps doesn't have the ability to customize/propagate HTTP headers for outgoing layer requests. For a scenario where the WMS endpoint is protected by SAML, the workflow would look like this:

1. Browser client makes a request to https://hostname/ows?service=WMS&version=1.3.0&request=GetCapabilities.
2. Service response with 302 Redirect to SAML Authorization Service.
3. Browser follows 302 Redirect to SAML Authorization Service.
4. SAML Authorization Service responds with 302 Redirect to https://hostname/ows?service=WMS&version=1.3.0&request=GetCapabilities and Set-Cookie header that contains the SAML token.
5. Browser follows 302 Redirect back to https://hostname/ows?service=WMS&version=1.3.0&request=GetCapabilities.

Subsequent calls to the WMS endpoint don't propagate the cookie received in step 4, so the workflow restarts until the browser throws ERR_TOO_MANY_REDIRECTS.

It'd be helpful if we had the ability to customize what headers are passed to layer endpoints to meet this use case.

Describe a specific use case for the feature:

WMS endpoint protected by SAML auth.

[elasticmachine]

Pinging @elastic/kibana-presentation (Team:Presentation)

[nickpeihl]

I think we should be able to remove from the wms_client module the node-fetch import as fetch is globally available in all evergreen browsers. I think we included node-fetch originally as a polyfill to patch IE11 which did not support fetch. We dropped support for IE11 a few years ago. Also node-fetch seems to be intended as a server-side library anyways, so it may not make sense to include it in client-side code.

However, I don't know that dropping the node-fetch import in favor of the Browser fetch API will resolve the issue. Maybe the @elastic/kibana-security team can offer more guidance?

[legrego]

Subsequent calls to the WMS endpoint don't propagate the cookie received in step 4, so the workflow restarts until the browser throws ERR_TOO_MANY_REDIRECTS.

Warning: I know next to nothing about WMS, map layers, etc.

Are we expecting that following the SAML auth flow, Kibana (client side) will make a request to this third-party WMS endpoint, to retrieve ✨map stuff✨, and then use that response within the Maps editor/visualization?

If so, then I agree with @nickpeihl that swapping node-fetch for fetch is unlikely to help you. You are essentially looking for the WMS service to issue you a cookie that can be sent in a cross-origin fashion. Similar to what we ask our users to do when embedding Kibana into another page, I believe that you'd need the service issuing the cookie to specify SameSite=None within the Set-Cookie header value: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value