Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make token as a default authentication provider instead of basic #34339

Closed
azasypkin opened this issue Apr 2, 2019 · 3 comments
Closed

Make token as a default authentication provider instead of basic #34339

azasypkin opened this issue Apr 2, 2019 · 3 comments
Labels
blocked enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@azasypkin
Copy link
Member

azasypkin commented Apr 2, 2019
edited
Loading

Recently we introduced token authentication provider (relies on Token Management APIs provided by Elasticsearch) that can and should be used instead of basic authentication provider. But to make that happen we should take care of the following things first:

Blocked by: #61115
@azasypkin azasypkin added blocked Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication v8.0.0 labels Apr 2, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@jkakavas
Copy link
Member

jkakavas commented Apr 2, 2019

Figure out if xpack.security.authc.token.enabled can be set in Elasticsearch distribution by default

The setting used to default to false and now defaults to the value of xpack.security.http.ssl.enabled. The reason is that we do not want to enable the token service over an unencrypted layer (http) as this would mean that

  • clients would send user credentials over http ( password grant in the Get Token API)
  • clients would send access tokens over http ( Authorization header )
  • clients would send refresh tokens over http ( refresh_token grant

We'd need to see if it is worth relaxing this stance, if TLS for the http layer can't be enabled by default.

@azasypkin
Copy link
Member Author

Thanks @jkakavas! Let's see how we can move this forward. I guess same thing is true for xpack.security.authc.api_key.enabled (aka long-lived tokens).

@kobelb kobelb mentioned this issue Sep 4, 2019
Closed
@kobelb kobelb mentioned this issue Nov 11, 2019
Open
@FrankHassanabad FrankHassanabad mentioned this issue Nov 11, 2019
Closed
@legrego legrego removed the v8.0.0 label Jun 16, 2021
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 4, 2021
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
@legrego legrego closed this as not planned Won't fix, can't repro, duplicate, stale Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@azasypkin @legrego @jkakavas @elasticmachine