Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Dashboards permalink and iframe losses url param JWT on internal API calls #1621

Closed
dbanshee opened this issue Oct 13, 2023 · 14 comments
Closed

[BUG] Dashboards permalink and iframe losses url param JWT on internal API calls #1621

dbanshee opened this issue Oct 13, 2023 · 14 comments
Labels
bug Something isn't working help wanted Extra attention is needed, need help from community triaged

Comments

@dbanshee
Copy link

dbanshee commented Oct 13, 2023
edited
Loading

Describe the bug

Dashboards permalink and iframe losses url param JWT on internal API calls.

After configure Opensearch and OS-Dashboards to use url param JWT and check by curl that works sucessfully, I tried to open dashboards permalink and iframe generated by opensearch.

The browser enters on infinite loop (if the token JWT has expired, directly returns Unathorized as expected).

No browser debug or opensearch dashboards appears to be relevant but capturing traffic on 5601 port I can check how the url_param jwt are lossed on internal API calls (restapiinfo, configuration accoung api, …) returning HTTP 401 Unathorized

I replicated with curl the same calls and adding url_param with the same token and the request works.

To Reproduce
Steps to reproduce the behavior:

  1. Generate permalink or iframe of dashboard.
  2. Configure JWT URL Param on Opensearch and OpenSearch Dashboards.
  3. Add JWT url param to permalink
  4. Open permalink on a Browser.

Expected behavior
Expected to show de dashboards successfully, but browser enters on infinite loop.

OpenSearch Version
2.10.0
Also tested on 2.8.0

Dashboards Version
2.10.0
Also tested on 2.8.0

Plugins

Please list all plugins currently enabled

[opensearch-dashboards@f3445ef669e8 bin]$ ./opensearch-dashboards-plugin list

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Host/Environment (please complete the following information):

  • OS: Linux Ubuntu 23.04 using opensearch in docker
  • Google Chrome Versión 116.0.5845.96 (Build oficial) (64 bits)

Additional context
Configuration:

Opensearch security config :

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            # Shared Secret from AuthService
            signing_key: "<my_secret>"
            jwt_header: "Authorization"
            jwt_url_parameter: "jwtToken"
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: opensearch_roles
            subject_key: preferred_username

Opensearch Dashboards Config:

opensearch_security.auth.type: "jwt"
opensearch_security.jwt.url_param: jwtToken
opensearch_security.jwt.enabled: true

Manual curl to test internal APIS (adding jwtToken url param) works successfuly:

curl -XGET  'http://localhost:5601/api/v1/restapiinfo?jwtToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2MTZhMDFiYS0zNjQ3LTRiYTQtYjBlMy1jYzdhNDI0ZTkzYzgiLCJ0ZW5hbnRfaWQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiIsIkdyb3VwIjpbIkFkbWluaXN0cmF0b3JzIiwiZXZlcnlvbmUiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwiZGVsZXRlLWFjY291bnQiLCJtYW5hZ2UtY29uc2VudCIsInZpZXctcHJvZmlsZSJdfX0sImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sImlzcyI6InZveWFnZXItZ3ciLCJ0eXAiOiJCZWFyZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbmFtYXlhIiwic2lkIjoiNjFiMjU2YTAtOTEyNS00NDhlLWI2OWQtNWViYjdiYTZhNjI1IiwiYWNyIjoiMCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJFbnJpY2htZW50IiwiUGxhdGZvcm0gQWRtaW4iLCJQbGF0Zm9ybSBXRiBEZXNpZ25lciIsIk1pZ3JhdGlvbiIsIkxvd0NvZGUgV0YgRGVzaWduZXIiLCJQaWNrbGlzdCIsIlB1Ymxpc2hpbmciLCJJbmdlc3QiLCJvZmZsaW5lX2FjY2VzcyIsIk1vbml0b3JpbmcgTWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwib3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUiLCJJbmdlc3QgTWFuYWdlbWVudCIsIkxvd0NvZGUgV0YgVmlld2VyIiwiTGl2ZSIsIlNjaGVkdWxpbmciLCJUZW5hbnQgQWRtaW4iLCJTaXRlIEFkbWluIiwiRXhjaGFuZ2UiLCJEZXZlbCIsIlNoYXJlZCBTaXRlIEFkbWluIiwiVGVkaWFsIE9wcyIsIkRlbGl2ZXJ5IiwiQ29sbGFib3JhdGlvbnMiLCJkZWZhdWx0LXJvbGVzLXRlZGlhbCJdfSwiYXpwIjoicGxhdGZvcm0tdWkiLCJhdXRoX3RpbWUiOjE2OTcxODM1MDUsInNjb3BlIjoib3BlbmlkIG9wZW5zZWFyY2hfc2NvcGUgdGVuYW50X2lkIGVtYWlsIHByb2ZpbGUiLCJleHAiOjE2OTcxODgwMTMsInNlc3Npb25fc3RhdGUiOiI2MWIyNTZhMC05MTI1LTQ0OGUtYjY5ZC01ZWJiN2JhNmE2MjUiLCJpYXQiOjE2OTcxODc0MTMsImp0aSI6IjhhZGJhMjRiLWJmNWItNDAyMC1iZjNlLTU5ZWM1NTdmNjVjYSIsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJvcGVuc2VhcmNoX3JvbGVzIjpbIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl0sImdpdmVuX25hbWUiOiJvc2NhciIsIm5vbmNlIjoiMWJhOWY4NWQtZjEyMi00N2FmLThiNGQtODg4Yzc2ODZkMmE3IiwiYXVkIjpbImFjY291bnQiXSwibmFtZSI6Im9zY2FyIGFtYXlhIiwiZmFtaWx5X25hbWUiOiJhbWF5YSIsInVzZXIiOnsiaWQiOjAsIm5hbWUiOiJvbmFtYXlhIiwiZGVzY3JpcHRpb24iOm51bGwsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjpudWxsLCJyb2xlcyI6WyJBZG1pbmlzdHJhdG9ycyIsImV2ZXJ5b25lIiwiRW5yaWNobWVudCIsIlBsYXRmb3JtIEFkbWluIiwiUGxhdGZvcm0gV0YgRGVzaWduZXIiLCJNaWdyYXRpb24iLCJMb3dDb2RlIFdGIERlc2lnbmVyIiwiUGlja2xpc3QiLCJQdWJsaXNoaW5nIiwiSW5nZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJNb25pdG9yaW5nIE1hbmFnZW1lbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIm9wZW5zZWFyY2hfc2VhcmNoX2FsbF9yb2xlIiwiSW5nZXN0IE1hbmFnZW1lbnQiLCJMb3dDb2RlIFdGIFZpZXdlciIsIkxpdmUiLCJTY2hlZHVsaW5nIiwiVGVuYW50IEFkbWluIiwiU2l0ZSBBZG1pbiIsIkV4Y2hhbmdlIiwiRGV2ZWwiLCJTaGFyZWQgU2l0ZSBBZG1pbiIsIlRlZGlhbCBPcHMiLCJEZWxpdmVyeSIsIkNvbGxhYm9yYXRpb25zIiwiZGVmYXVsdC1yb2xlcy10ZWRpYWwiXX0sInJvbGVzIjoiQWRtaW5pc3RyYXRvcnMsZXZlcnlvbmUsRW5yaWNobWVudCxQbGF0Zm9ybSBBZG1pbixQbGF0Zm9ybSBXRiBEZXNpZ25lcixNaWdyYXRpb24sTG93Q29kZSBXRiBEZXNpZ25lcixQaWNrbGlzdCxQdWJsaXNoaW5nLEluZ2VzdCxvZmZsaW5lX2FjY2VzcyxNb25pdG9yaW5nIE1hbmFnZW1lbnQsdW1hX2F1dGhvcml6YXRpb24sb3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUsSW5nZXN0IE1hbmFnZW1lbnQsTG93Q29kZSBXRiBWaWV3ZXIsTGl2ZSxTY2hlZHVsaW5nLFRlbmFudCBBZG1pbixTaXRlIEFkbWluLEV4Y2hhbmdlLERldmVsLFNoYXJlZCBTaXRlIEFkbWluLFRlZGlhbCBPcHMsRGVsaXZlcnksQ29sbGFib3JhdGlvbnMsZGVmYXVsdC1yb2xlcy10ZWRpYWwiLCJ0ZW5hbnQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiJ9.Im4-elkLPMhdVNbfbfLsrfc-mOlVshHsgU1piISl13CldiKe3BkPycDq1hiIrZB1YbfLUNKH0hk3oRVEzOkhrw&security_tenant=global' -v -i
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 127.0.0.1:5601...
* Connected to localhost (127.0.0.1) port 5601 (#0)
> GET /api/v1/restapiinfo?jwtToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2MTZhMDFiYS0zNjQ3LTRiYTQtYjBlMy1jYzdhNDI0ZTkzYzgiLCJ0ZW5hbnRfaWQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiIsIkdyb3VwIjpbIkFkbWluaXN0cmF0b3JzIiwiZXZlcnlvbmUiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwiZGVsZXRlLWFjY291bnQiLCJtYW5hZ2UtY29uc2VudCIsInZpZXctcHJvZmlsZSJdfX0sImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sImlzcyI6InZveWFnZXItZ3ciLCJ0eXAiOiJCZWFyZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbmFtYXlhIiwic2lkIjoiNjFiMjU2YTAtOTEyNS00NDhlLWI2OWQtNWViYjdiYTZhNjI1IiwiYWNyIjoiMCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJFbnJpY2htZW50IiwiUGxhdGZvcm0gQWRtaW4iLCJQbGF0Zm9ybSBXRiBEZXNpZ25lciIsIk1pZ3JhdGlvbiIsIkxvd0NvZGUgV0YgRGVzaWduZXIiLCJQaWNrbGlzdCIsIlB1Ymxpc2hpbmciLCJJbmdlc3QiLCJvZmZsaW5lX2FjY2VzcyIsIk1vbml0b3JpbmcgTWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwib3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUiLCJJbmdlc3QgTWFuYWdlbWVudCIsIkxvd0NvZGUgV0YgVmlld2VyIiwiTGl2ZSIsIlNjaGVkdWxpbmciLCJUZW5hbnQgQWRtaW4iLCJTaXRlIEFkbWluIiwiRXhjaGFuZ2UiLCJEZXZlbCIsIlNoYXJlZCBTaXRlIEFkbWluIiwiVGVkaWFsIE9wcyIsIkRlbGl2ZXJ5IiwiQ29sbGFib3JhdGlvbnMiLCJkZWZhdWx0LXJvbGVzLXRlZGlhbCJdfSwiYXpwIjoicGxhdGZvcm0tdWkiLCJhdXRoX3RpbWUiOjE2OTcxODM1MDUsInNjb3BlIjoib3BlbmlkIG9wZW5zZWFyY2hfc2NvcGUgdGVuYW50X2lkIGVtYWlsIHByb2ZpbGUiLCJleHAiOjE2OTcxODgwMTMsInNlc3Npb25fc3RhdGUiOiI2MWIyNTZhMC05MTI1LTQ0OGUtYjY5ZC01ZWJiN2JhNmE2MjUiLCJpYXQiOjE2OTcxODc0MTMsImp0aSI6IjhhZGJhMjRiLWJmNWItNDAyMC1iZjNlLTU5ZWM1NTdmNjVjYSIsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJvcGVuc2VhcmNoX3JvbGVzIjpbIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl0sImdpdmVuX25hbWUiOiJvc2NhciIsIm5vbmNlIjoiMWJhOWY4NWQtZjEyMi00N2FmLThiNGQtODg4Yzc2ODZkMmE3IiwiYXVkIjpbImFjY291bnQiXSwibmFtZSI6Im9zY2FyIGFtYXlhIiwiZmFtaWx5X25hbWUiOiJhbWF5YSIsInVzZXIiOnsiaWQiOjAsIm5hbWUiOiJvbmFtYXlhIiwiZGVzY3JpcHRpb24iOm51bGwsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjpudWxsLCJyb2xlcyI6WyJBZG1pbmlzdHJhdG9ycyIsImV2ZXJ5b25lIiwiRW5yaWNobWVudCIsIlBsYXRmb3JtIEFkbWluIiwiUGxhdGZvcm0gV0YgRGVzaWduZXIiLCJNaWdyYXRpb24iLCJMb3dDb2RlIFdGIERlc2lnbmVyIiwiUGlja2xpc3QiLCJQdWJsaXNoaW5nIiwiSW5nZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJNb25pdG9yaW5nIE1hbmFnZW1lbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIm9wZW5zZWFyY2hfc2VhcmNoX2FsbF9yb2xlIiwiSW5nZXN0IE1hbmFnZW1lbnQiLCJMb3dDb2RlIFdGIFZpZXdlciIsIkxpdmUiLCJTY2hlZHVsaW5nIiwiVGVuYW50IEFkbWluIiwiU2l0ZSBBZG1pbiIsIkV4Y2hhbmdlIiwiRGV2ZWwiLCJTaGFyZWQgU2l0ZSBBZG1pbiIsIlRlZGlhbCBPcHMiLCJEZWxpdmVyeSIsIkNvbGxhYm9yYXRpb25zIiwiZGVmYXVsdC1yb2xlcy10ZWRpYWwiXX0sInJvbGVzIjoiQWRtaW5pc3RyYXRvcnMsZXZlcnlvbmUsRW5yaWNobWVudCxQbGF0Zm9ybSBBZG1pbixQbGF0Zm9ybSBXRiBEZXNpZ25lcixNaWdyYXRpb24sTG93Q29kZSBXRiBEZXNpZ25lcixQaWNrbGlzdCxQdWJsaXNoaW5nLEluZ2VzdCxvZmZsaW5lX2FjY2VzcyxNb25pdG9yaW5nIE1hbmFnZW1lbnQsdW1hX2F1dGhvcml6YXRpb24sb3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUsSW5nZXN0IE1hbmFnZW1lbnQsTG93Q29kZSBXRiBWaWV3ZXIsTGl2ZSxTY2hlZHVsaW5nLFRlbmFudCBBZG1pbixTaXRlIEFkbWluLEV4Y2hhbmdlLERldmVsLFNoYXJlZCBTaXRlIEFkbWluLFRlZGlhbCBPcHMsRGVsaXZlcnksQ29sbGFib3JhdGlvbnMsZGVmYXVsdC1yb2xlcy10ZWRpYWwiLCJ0ZW5hbnQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiJ9.Im4-elkLPMhdVNbfbfLsrfc-mOlVshHsgU1piISl13CldiKe3BkPycDq1hiIrZB1YbfLUNKH0hk3oRVEzOkhrw&security_tenant=global HTTP/1.1
> Host: localhost:5601
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< osd-name: f3445ef669e8
osd-name: f3445ef669e8
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< cache-control: private, no-cache, no-store, must-revalidate
cache-control: private, no-cache, no-store, must-revalidate
< set-cookie: security_authentication=Fe26.2**76a03086e97ab8fe96eb4a02e2e7f1290c6aa23e1bc2fe5f4cecb127b3fa6c9f*FSlYd4SaP0L3ZNfdLBd3jw*xdrd8k3KP1Hjuf2Lt4WhDo8wzkMgpIzOTjTw2pqWBjPaQXX0OpoEIF1bbRer5nFpnPBxCjt8k1XyW7GzI695sGECip56ZZPUqsoJrB24eu6Pe8GTSfY5oOkUCaX5KjQyxs3BYFA3pS_OCVFVxsddXrHgLk9qz7FesomKs4wPZ8E6_KHEbJYJdAnxOEMq3ti7f2OiOIdfnlKhLlPAApEHkXYVb0tAioyA2jO28_YwkbqMeB7HnKNvQq8tVpjeRPAV9WfNi15Y_hjsgj31D9WmLRY3jHhe6vEXUS6lm0mpEwf2_O3FSmTu0wMJzy5jMPx_-U7jkEM9j-9su1zy2waR6Yh459dVMrzgAhCOc4VLq87bfKE_8REhPdiXKdypyBd-SS0U82B2u1ok89SA9h4hvMycPTR3lmZLchfZFnW_NlEaaONzt2LF0plGVECFlRNPzR37_8sts2b3l5LyxfGrJXf8DjZJK49w45iymbvi8sKi-YjZmMuG9rT1KTi7Ju7q95Z83LoYsb3aCU9aydawmL97IHS-GNjJcCmHfYsq_hGRiemnY4ws5szYbBHfqA6THAC8DlUE0MYtdHdMfynrkfXllwN8DHrJZWzSE7WhHcFQl88VFwsBTw1eTw-xkc4YfPOu6rkMQoMdH8tZze0A8PuAfwYe-GWI8sdmycaJB88kqNmVsMfA8E_XJojOaGH2X-u0kZmduGxgcx2B0DK1Zlfu3p1uTkpNYgTX2GTwikyI8f_CF7uFwhjtDbgfT6l6FvfUNp7ObOvCK29JxCun_MDrDWnFWyEdmBtNv8qsXcGb02By02hh1P4xviT9NM-zYa2ApsjRq9GhZXzwNdgM_51M72G8KbKIYkkFsywLB_H-1WV82UNjfdzEYvWZ5xb3SzkiT7imvre4uS2hJF1S88Hajf-ySM4ebbMQENSk9LtCNIh1g_skzUAUJCK5Qc5biLQg_Hc_6-elWhz_xIbhtfqgoEHOjLf5zn3OWbvoqaC8MwC_N9rXqPqwrviMS9e7W3lNnnbB0OTIMEmHumpa5BzRXBZkfQ3G-5h3zm8FebghKt60VdGHjjIrlodFirRMBlLKh3Ng_d9PHjVJ5fkivflTEYEmT6Q7vtQfok83H17JhQhmv4AOm2c8c0nqiAGPY-ZPXiW5reLN6raj4QcgGqBAjgDlGEFy8iLS0V-c7QUGHU0V3CE7paPnh9CegMaD1Iv9LF-KzXGD3SZ1GyGH55x9xmIqBuQ0ZogxBVwGuTQ23jrj9PWxwAPWwQEsEbHGoMXhGwLmk2eddG4N_DbEszUnwZjFnQWLfasWFFdzr--LrCSRcKGvziWyohUTweSmzIlFhb6xyBjn37iRSWen3NGcGsE1RvrzeZAqTs70oOob_QZ54S8ezPWH7ZztxFfMfqAPRZelTIIX2kZdtLaJABrwhBfGO1cnoDM5OT7TtfEBIlYLSVt_1EYKpld4MVnEb2hC-6CgztMXiTH_jxG5NmG0VgHbqv_-yurDZCKliRLSSY_5zP7QUhBVwRtiAjp8zkjuz3i3yjLd7Rp50K5BdofBrpr3jn6pebEcH5Gsx9GFfYgXJKDMiu32vk32JDC56m9XNAnJ9b3f-uoZcIYcUXjfpMZAb3c1GPzwQXXwNB9Bjr0TYLVgv56ck4JJpJbR0uhzwAf2vs47C0LCWGjS0uH4suVjPWc4ZPF8WWU6Y_au010C5JWRmhIwOk-J6VBPJ3VSZzgQKME4rNKEJkHwCKJLEwyVN9FDVbIbxRvrnPNDRmnF06m9A5pd7vqneIiKcP_uZdBsL206XfoY0IwE2Cq8lohyKG4SBSMAeFZO40fS0e3jpGxJpqt0bUyybG5ULELBEdDV6f94aojXejnxdvFd0JEnIaJSfY_II9xllCXVRRPnv7sOjdft1JUEDyDO-ZkuVW6f23Pzp9EdV53NTswOOgm8XCyhMSzUq4_GmOZrw5SzXFGW3jRCnUlU2w5AaM__swhtwmBcQwV-hBN7xOa5zkhOY3sm7V6J-OYiwgm1GNLxUihGH68E7XWhWIATrW46H_X9WwylCl4Petw2kp5pf-_rJdT8o62IOEO6Xao7KvNDiTjaxMGsDhsrdKwkjUFUeHeYUaoFTlweqzeSUI2hZlmQAPdX34o10QUU5OGzyB5us3iXCv-oy5zQroXWlMrcLPhLBE06E2frdtj6PrsjknleiO2iDCWkFgSlupq1Mda0ADJ6AinOztnAFHOpcvL4qhsXoI55PjfYQl2IXerP14pxajj59UNPzPjYecOSY2l9ht1hyGLMUz1q7pSVUmKk6qsDs7v0hcL0LYPiILdbY4hlnAcbfiNMwndLnj6DLvr9gjJMTC9Gk-E6lZOyeVMp2oOeXIA83pX3Ituj7AlqdspbSnPXcg82DXEDso82lc4aN3j0qU3d6rFgATCV-rRHMXRLRjzHHZFOdq9y3Cg3NeH1-icvOLnB-Rmr6rslZ5VGLhdLHZAd5vuAoMSzU82p6hQ2ofmzH8XlvYvSQMTqEN3nyhdOy09zvIDUtt1ppqxXaTwSVI9j5geqR2lEDDK-PCQ62w4mEPP3k1Tx0Szg1FO-O7Qg9l_UPv_6HQlx_QkH5WsLYmhLWWK1qKqGXSOgdauikCD11UrN33dDMPeJ7d_9hkyv7tiRtEIlivRu23Yif9gGdHVw_Yfm-ZHQq9XG-9dWiFU_Hd363yj34tQnsuIMY9iKOQ_2LlCqYDlWe9LCt_7Lu0Wdp6JW6tizy6dEZIyRY5q0Of2VnEdZr2K5xeIq2XmMnOobWdkp2BxppGzhcILQTBcf7bSv_VMycMPf4MFmmnr_8hZXAbkobbkhN9bilw7T5T1sYWjcsoHpFG6RZt3ms8hDRVbXDq7nYEu99ZcBsiByDnfHI9sD3JFdOlrYEDM7Kv2aZAL7r6tUwoiEEUkVG_0psX0hnBsLRrBfVJeR3vsBHFsjhWEHA1UHhKPAdnJBWAihuCo-W5QlJeUKwDYY3Fz-OGUSCVqsWKHucXa9hgh2H82AO5QbO8zh-mVauVC_GYEp6H8c7tG6ZqQVmtjNmXtMOD85s1sl7tkPcWERdas0z4oKGLAg7maAl8Zf_HKMJRM8YUKG_nL1JvkLkDQLhEVyO0Tk10NHZ6rgmg2NWK8QRYcHaeAscklKnggm7OPtkPNcIWrLa6EfDSRlgasT9-5BdHmTZIw9C7pHeTINJPGU4V4v21Fhs524TBd8sxHJ13fHlnRCvEc8ULhXJAeh-23sXtVriknRNfHYxGP_EFaXdvyVvUrKV_RnltJ-qNZtCnJDW5nTWtCivI012iYZ6gBdHGutRUvJDLvSHPQwNnbLWruEABajjAn_n7w_gMFMQ_31Xd3KYzbEmD3U1kgy5DDbsKM6cvENQLVqHPVtcTtTXK0IIsGkzVOGdXg8vckYrIWcORvcgNzjEra-3Wd9ldw9CVqJ6Uocr_DBDMdyW7uQzKW_tpK_ys3AYOkFEiq_V0x3SufSa16iECQVQ5dExKNDM72IS_KxXvsdo3Kk9-g-n3on7juvbM-8iBWY-j7gsef2JrswN5bVxOD9aO7_aquPFEA9xpcxb6HS5K91WDpQ7n-dHyk33KWM2UNo879HR8hJKI1IT1JQXMo8VuFp79GIDqPLPqD889GSztsMfU2rc0xVu9pZ_R27bPWXkNbzMNTivyJOoc25uW1An2X19jjYtYngCTALNC_zWnGROuhY5VQU_0M71wGuPw6CwpGJf3-w19LEyP7rsOKdZPFGj16dIV5vTdhT4S_pocBJ_1mkHrpxDRpqji8Gr_mHIbsQjDJThlyIgYGyFWTuOy_Ej8pwkoN12d8IPfYZ3sfuMepMpQyBNopeVlaofDO2J5cVnoR2yytOEnhKRLLOejAyh6BnOpT9FZUSERN0Z6yr0HcJpQTpUuRCli-57-u6ZTYJknkoPdXL5U_wGg4_abo7OD1DDn2d7I_cMIrmju8OA3kLN_NXMkGGEcOHHFTDk7u8ksZCq4zyPQUqSsP0YwYSdBIq8IN9VaC7ZGorsnwRoXNMkFJWjxZ2y-ky3qi7yYcl4hZ93Vmeh5C-7ljP19V9n4wGcEkrI_8ku11lad-RxIrPYSBfg_qOU9RBGpCgbYNV99vRVtCZkoLi-ywRhpiwhsN2xI60xdXPBTI0Xm3zgz2ABYALd-Uz5644kBom7YH6aTiomA_2M7aICx6C1aFfwJGrk16chtUVgC7Bxr_DacgIZolohD2e-Yuujhg4B8ExK7umAabtyp9wQMyzZYlacQhhWReCDg9mnzJjdhEr_jL0VhIgOTgppwPmdvYblZ87scfQonwBaKABstSg53Pv-qs-Qx06n3DMv6u3txLf8H6hNUMyyVSbNRWph982oTuPJgl9pLzCg6mLyvcUKfCulqhTUOs49Oa1zmHP1a_yhncMDnpYYDprD30RhGgE5ogST8eyYAcaBsxOEhTBs_IV1wpZ61TOMA5zzml0JgoJeIKk7b1Mkblkj0H0d8Auiznsell_53MWL_06YP7eWcZzwzXTPON2_F_B96UHgLtwIVhBQGaCDqWAKn9OrKOn28UCF8hbXxgz-FM5KUVxFnAgAmSxCA-GSiNwS7PbQdpSlNSohz_YqHW4tkYzxYyhpEwYEXc8qkpOhb2Ch1eLwfD1JXzl2Nhbktmj-ueoFHvb97DlCMTPGacPjmMmeqda-VHbwNOBMP_xjiZY7VgHZiMAsYeRXUSnV3_rVNBcWvs_itfxB0IJkqt-eU1X71gegqJxYwHRofbsCsEFoNMxRwDNpcoLjcgkNqAwVcwB43U68_ghi9Mn5mvsNWZ8hocXHBe5Jz3Bu5Ra5ZLMWJ_SZZAunk_1neJfawdHAqBewg1vn8Xt53nYBvsB-b_Cpc4uiilC5QJL8Eg2tqeLlUM9ryujX0jaNlh8qX3bgk5XQO0G8plBVslQxYeISd3EHNRGBYYuCLM6mZHmFyKJPusqlBH3tPBm8ISq0gxBSlfjC9BywkTs705B-BZuAjTxny1pETEUgKB2TU-Gi-x6hizE5yoVPUqwMIJXbMMs**c6a346201b1aaf63a6ce0f90556c503d18f015ee732ee8402a7ac36abbbe2d97*saqGCpGy6l-o6EVqXb5IgT2Y6vVfanx6_tGEU1AsShI; HttpOnly; Path=/
set-cookie: security_authentication=Fe26.2**76a03086e97ab8fe96eb4a02e2e7f1290c6aa23e1bc2fe5f4cecb127b3fa6c9f*FSlYd4SaP0L3ZNfdLBd3jw*xdrd8k3KP1Hjuf2Lt4WhDo8wzkMgpIzOTjTw2pqWBjPaQXX0OpoEIF1bbRer5nFpnPBxCjt8k1XyW7GzI695sGECip56ZZPUqsoJrB24eu6Pe8GTSfY5oOkUCaX5KjQyxs3BYFA3pS_OCVFVxsddXrHgLk9qz7FesomKs4wPZ8E6_KHEbJYJdAnxOEMq3ti7f2OiOIdfnlKhLlPAApEHkXYVb0tAioyA2jO28_YwkbqMeB7HnKNvQq8tVpjeRPAV9WfNi15Y_hjsgj31D9WmLRY3jHhe6vEXUS6lm0mpEwf2_O3FSmTu0wMJzy5jMPx_-U7jkEM9j-9su1zy2waR6Yh459dVMrzgAhCOc4VLq87bfKE_8REhPdiXKdypyBd-SS0U82B2u1ok89SA9h4hvMycPTR3lmZLchfZFnW_NlEaaONzt2LF0plGVECFlRNPzR37_8sts2b3l5LyxfGrJXf8DjZJK49w45iymbvi8sKi-YjZmMuG9rT1KTi7Ju7q95Z83LoYsb3aCU9aydawmL97IHS-GNjJcCmHfYsq_hGRiemnY4ws5szYbBHfqA6THAC8DlUE0MYtdHdMfynrkfXllwN8DHrJZWzSE7WhHcFQl88VFwsBTw1eTw-xkc4YfPOu6rkMQoMdH8tZze0A8PuAfwYe-GWI8sdmycaJB88kqNmVsMfA8E_XJojOaGH2X-u0kZmduGxgcx2B0DK1Zlfu3p1uTkpNYgTX2GTwikyI8f_CF7uFwhjtDbgfT6l6FvfUNp7ObOvCK29JxCun_MDrDWnFWyEdmBtNv8qsXcGb02By02hh1P4xviT9NM-zYa2ApsjRq9GhZXzwNdgM_51M72G8KbKIYkkFsywLB_H-1WV82UNjfdzEYvWZ5xb3SzkiT7imvre4uS2hJF1S88Hajf-ySM4ebbMQENSk9LtCNIh1g_skzUAUJCK5Qc5biLQg_Hc_6-elWhz_xIbhtfqgoEHOjLf5zn3OWbvoqaC8MwC_N9rXqPqwrviMS9e7W3lNnnbB0OTIMEmHumpa5BzRXBZkfQ3G-5h3zm8FebghKt60VdGHjjIrlodFirRMBlLKh3Ng_d9PHjVJ5fkivflTEYEmT6Q7vtQfok83H17JhQhmv4AOm2c8c0nqiAGPY-ZPXiW5reLN6raj4QcgGqBAjgDlGEFy8iLS0V-c7QUGHU0V3CE7paPnh9CegMaD1Iv9LF-KzXGD3SZ1GyGH55x9xmIqBuQ0ZogxBVwGuTQ23jrj9PWxwAPWwQEsEbHGoMXhGwLmk2eddG4N_DbEszUnwZjFnQWLfasWFFdzr--LrCSRcKGvziWyohUTweSmzIlFhb6xyBjn37iRSWen3NGcGsE1RvrzeZAqTs70oOob_QZ54S8ezPWH7ZztxFfMfqAPRZelTIIX2kZdtLaJABrwhBfGO1cnoDM5OT7TtfEBIlYLSVt_1EYKpld4MVnEb2hC-6CgztMXiTH_jxG5NmG0VgHbqv_-yurDZCKliRLSSY_5zP7QUhBVwRtiAjp8zkjuz3i3yjLd7Rp50K5BdofBrpr3jn6pebEcH5Gsx9GFfYgXJKDMiu32vk32JDC56m9XNAnJ9b3f-uoZcIYcUXjfpMZAb3c1GPzwQXXwNB9Bjr0TYLVgv56ck4JJpJbR0uhzwAf2vs47C0LCWGjS0uH4suVjPWc4ZPF8WWU6Y_au010C5JWRmhIwOk-J6VBPJ3VSZzgQKME4rNKEJkHwCKJLEwyVN9FDVbIbxRvrnPNDRmnF06m9A5pd7vqneIiKcP_uZdBsL206XfoY0IwE2Cq8lohyKG4SBSMAeFZO40fS0e3jpGxJpqt0bUyybG5ULELBEdDV6f94aojXejnxdvFd0JEnIaJSfY_II9xllCXVRRPnv7sOjdft1JUEDyDO-ZkuVW6f23Pzp9EdV53NTswOOgm8XCyhMSzUq4_GmOZrw5SzXFGW3jRCnUlU2w5AaM__swhtwmBcQwV-hBN7xOa5zkhOY3sm7V6J-OYiwgm1GNLxUihGH68E7XWhWIATrW46H_X9WwylCl4Petw2kp5pf-_rJdT8o62IOEO6Xao7KvNDiTjaxMGsDhsrdKwkjUFUeHeYUaoFTlweqzeSUI2hZlmQAPdX34o10QUU5OGzyB5us3iXCv-oy5zQroXWlMrcLPhLBE06E2frdtj6PrsjknleiO2iDCWkFgSlupq1Mda0ADJ6AinOztnAFHOpcvL4qhsXoI55PjfYQl2IXerP14pxajj59UNPzPjYecOSY2l9ht1hyGLMUz1q7pSVUmKk6qsDs7v0hcL0LYPiILdbY4hlnAcbfiNMwndLnj6DLvr9gjJMTC9Gk-E6lZOyeVMp2oOeXIA83pX3Ituj7AlqdspbSnPXcg82DXEDso82lc4aN3j0qU3d6rFgATCV-rRHMXRLRjzHHZFOdq9y3Cg3NeH1-icvOLnB-Rmr6rslZ5VGLhdLHZAd5vuAoMSzU82p6hQ2ofmzH8XlvYvSQMTqEN3nyhdOy09zvIDUtt1ppqxXaTwSVI9j5geqR2lEDDK-PCQ62w4mEPP3k1Tx0Szg1FO-O7Qg9l_UPv_6HQlx_QkH5WsLYmhLWWK1qKqGXSOgdauikCD11UrN33dDMPeJ7d_9hkyv7tiRtEIlivRu23Yif9gGdHVw_Yfm-ZHQq9XG-9dWiFU_Hd363yj34tQnsuIMY9iKOQ_2LlCqYDlWe9LCt_7Lu0Wdp6JW6tizy6dEZIyRY5q0Of2VnEdZr2K5xeIq2XmMnOobWdkp2BxppGzhcILQTBcf7bSv_VMycMPf4MFmmnr_8hZXAbkobbkhN9bilw7T5T1sYWjcsoHpFG6RZt3ms8hDRVbXDq7nYEu99ZcBsiByDnfHI9sD3JFdOlrYEDM7Kv2aZAL7r6tUwoiEEUkVG_0psX0hnBsLRrBfVJeR3vsBHFsjhWEHA1UHhKPAdnJBWAihuCo-W5QlJeUKwDYY3Fz-OGUSCVqsWKHucXa9hgh2H82AO5QbO8zh-mVauVC_GYEp6H8c7tG6ZqQVmtjNmXtMOD85s1sl7tkPcWERdas0z4oKGLAg7maAl8Zf_HKMJRM8YUKG_nL1JvkLkDQLhEVyO0Tk10NHZ6rgmg2NWK8QRYcHaeAscklKnggm7OPtkPNcIWrLa6EfDSRlgasT9-5BdHmTZIw9C7pHeTINJPGU4V4v21Fhs524TBd8sxHJ13fHlnRCvEc8ULhXJAeh-23sXtVriknRNfHYxGP_EFaXdvyVvUrKV_RnltJ-qNZtCnJDW5nTWtCivI012iYZ6gBdHGutRUvJDLvSHPQwNnbLWruEABajjAn_n7w_gMFMQ_31Xd3KYzbEmD3U1kgy5DDbsKM6cvENQLVqHPVtcTtTXK0IIsGkzVOGdXg8vckYrIWcORvcgNzjEra-3Wd9ldw9CVqJ6Uocr_DBDMdyW7uQzKW_tpK_ys3AYOkFEiq_V0x3SufSa16iECQVQ5dExKNDM72IS_KxXvsdo3Kk9-g-n3on7juvbM-8iBWY-j7gsef2JrswN5bVxOD9aO7_aquPFEA9xpcxb6HS5K91WDpQ7n-dHyk33KWM2UNo879HR8hJKI1IT1JQXMo8VuFp79GIDqPLPqD889GSztsMfU2rc0xVu9pZ_R27bPWXkNbzMNTivyJOoc25uW1An2X19jjYtYngCTALNC_zWnGROuhY5VQU_0M71wGuPw6CwpGJf3-w19LEyP7rsOKdZPFGj16dIV5vTdhT4S_pocBJ_1mkHrpxDRpqji8Gr_mHIbsQjDJThlyIgYGyFWTuOy_Ej8pwkoN12d8IPfYZ3sfuMepMpQyBNopeVlaofDO2J5cVnoR2yytOEnhKRLLOejAyh6BnOpT9FZUSERN0Z6yr0HcJpQTpUuRCli-57-u6ZTYJknkoPdXL5U_wGg4_abo7OD1DDn2d7I_cMIrmju8OA3kLN_NXMkGGEcOHHFTDk7u8ksZCq4zyPQUqSsP0YwYSdBIq8IN9VaC7ZGorsnwRoXNMkFJWjxZ2y-ky3qi7yYcl4hZ93Vmeh5C-7ljP19V9n4wGcEkrI_8ku11lad-RxIrPYSBfg_qOU9RBGpCgbYNV99vRVtCZkoLi-ywRhpiwhsN2xI60xdXPBTI0Xm3zgz2ABYALd-Uz5644kBom7YH6aTiomA_2M7aICx6C1aFfwJGrk16chtUVgC7Bxr_DacgIZolohD2e-Yuujhg4B8ExK7umAabtyp9wQMyzZYlacQhhWReCDg9mnzJjdhEr_jL0VhIgOTgppwPmdvYblZ87scfQonwBaKABstSg53Pv-qs-Qx06n3DMv6u3txLf8H6hNUMyyVSbNRWph982oTuPJgl9pLzCg6mLyvcUKfCulqhTUOs49Oa1zmHP1a_yhncMDnpYYDprD30RhGgE5ogST8eyYAcaBsxOEhTBs_IV1wpZ61TOMA5zzml0JgoJeIKk7b1Mkblkj0H0d8Auiznsell_53MWL_06YP7eWcZzwzXTPON2_F_B96UHgLtwIVhBQGaCDqWAKn9OrKOn28UCF8hbXxgz-FM5KUVxFnAgAmSxCA-GSiNwS7PbQdpSlNSohz_YqHW4tkYzxYyhpEwYEXc8qkpOhb2Ch1eLwfD1JXzl2Nhbktmj-ueoFHvb97DlCMTPGacPjmMmeqda-VHbwNOBMP_xjiZY7VgHZiMAsYeRXUSnV3_rVNBcWvs_itfxB0IJkqt-eU1X71gegqJxYwHRofbsCsEFoNMxRwDNpcoLjcgkNqAwVcwB43U68_ghi9Mn5mvsNWZ8hocXHBe5Jz3Bu5Ra5ZLMWJ_SZZAunk_1neJfawdHAqBewg1vn8Xt53nYBvsB-b_Cpc4uiilC5QJL8Eg2tqeLlUM9ryujX0jaNlh8qX3bgk5XQO0G8plBVslQxYeISd3EHNRGBYYuCLM6mZHmFyKJPusqlBH3tPBm8ISq0gxBSlfjC9BywkTs705B-BZuAjTxny1pETEUgKB2TU-Gi-x6hizE5yoVPUqwMIJXbMMs**c6a346201b1aaf63a6ce0f90556c503d18f015ee732ee8402a7ac36abbbe2d97*saqGCpGy6l-o6EVqXb5IgT2Y6vVfanx6_tGEU1AsShI; HttpOnly; Path=/
< content-length: 508
content-length: 508
< accept-ranges: bytes
accept-ranges: bytes
< Date: Fri, 13 Oct 2023 09:01:43 GMT
Date: Fri, 13 Oct 2023 09:01:43 GMT
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=120
Keep-Alive: timeout=120

< 
* Connection #0 to host localhost left intact
{"user":"User [name=onamaya, backend_roles=[opensearch_search_all_role], requestedTenant=]","user_name":"onamaya","has_api_access":true,"disabled_endpoints":{}}

Accesing permalink with url_param and capturing network traffic. Internal calls loss url params and fails to Authenticate:

GET /app/dashboards?jwtToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2MTZhMDFiYS0zNjQ3LTRiYTQtYjBlMy1jYzdhNDI0ZTkzYzgiLCJ0ZW5hbnRfaWQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiIsIkdyb3VwIjpbIkFkbWluaXN0cmF0b3JzIiwiZXZlcnlvbmUiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwiZGVsZXRlLWFjY291bnQiLCJtYW5hZ2UtY29uc2VudCIsInZpZXctcHJvZmlsZSJdfX0sImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sImlzcyI6InZveWFnZXItZ3ciLCJ0eXAiOiJCZWFyZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbmFtYXlhIiwic2lkIjoiNjFiMjU2YTAtOTEyNS00NDhlLWI2OWQtNWViYjdiYTZhNjI1IiwiYWNyIjoiMCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJFbnJpY2htZW50IiwiUGxhdGZvcm0gQWRtaW4iLCJQbGF0Zm9ybSBXRiBEZXNpZ25lciIsIk1pZ3JhdGlvbiIsIkxvd0NvZGUgV0YgRGVzaWduZXIiLCJQaWNrbGlzdCIsIlB1Ymxpc2hpbmciLCJJbmdlc3QiLCJvZmZsaW5lX2FjY2VzcyIsIk1vbml0b3JpbmcgTWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwib3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUiLCJJbmdlc3QgTWFuYWdlbWVudCIsIkxvd0NvZGUgV0YgVmlld2VyIiwiTGl2ZSIsIlNjaGVkdWxpbmciLCJUZW5hbnQgQWRtaW4iLCJTaXRlIEFkbWluIiwiRXhjaGFuZ2UiLCJEZXZlbCIsIlNoYXJlZCBTaXRlIEFkbWluIiwiVGVkaWFsIE9wcyIsIkRlbGl2ZXJ5IiwiQ29sbGFib3JhdGlvbnMiLCJkZWZhdWx0LXJvbGVzLXRlZGlhbCJdfSwiYXpwIjoicGxhdGZvcm0tdWkiLCJhdXRoX3RpbWUiOjE2OTcxODM1MDUsInNjb3BlIjoib3BlbmlkIG9wZW5zZWFyY2hfc2NvcGUgdGVuYW50X2lkIGVtYWlsIHByb2ZpbGUiLCJleHAiOjE2OTcxODgwMTMsInNlc3Npb25fc3RhdGUiOiI2MWIyNTZhMC05MTI1LTQ0OGUtYjY5ZC01ZWJiN2JhNmE2MjUiLCJpYXQiOjE2OTcxODc0MTMsImp0aSI6IjhhZGJhMjRiLWJmNWItNDAyMC1iZjNlLTU5ZWM1NTdmNjVjYSIsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJvcGVuc2VhcmNoX3JvbGVzIjpbIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl0sImdpdmVuX25hbWUiOiJvc2NhciIsIm5vbmNlIjoiMWJhOWY4NWQtZjEyMi00N2FmLThiNGQtODg4Yzc2ODZkMmE3IiwiYXVkIjpbImFjY291bnQiXSwibmFtZSI6Im9zY2FyIGFtYXlhIiwiZmFtaWx5X25hbWUiOiJhbWF5YSIsInVzZXIiOnsiaWQiOjAsIm5hbWUiOiJvbmFtYXlhIiwiZGVzY3JpcHRpb24iOm51bGwsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjpudWxsLCJyb2xlcyI6WyJBZG1pbmlzdHJhdG9ycyIsImV2ZXJ5b25lIiwiRW5yaWNobWVudCIsIlBsYXRmb3JtIEFkbWluIiwiUGxhdGZvcm0gV0YgRGVzaWduZXIiLCJNaWdyYXRpb24iLCJMb3dDb2RlIFdGIERlc2lnbmVyIiwiUGlja2xpc3QiLCJQdWJsaXNoaW5nIiwiSW5nZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJNb25pdG9yaW5nIE1hbmFnZW1lbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIm9wZW5zZWFyY2hfc2VhcmNoX2FsbF9yb2xlIiwiSW5nZXN0IE1hbmFnZW1lbnQiLCJMb3dDb2RlIFdGIFZpZXdlciIsIkxpdmUiLCJTY2hlZHVsaW5nIiwiVGVuYW50IEFkbWluIiwiU2l0ZSBBZG1pbiIsIkV4Y2hhbmdlIiwiRGV2ZWwiLCJTaGFyZWQgU2l0ZSBBZG1pbiIsIlRlZGlhbCBPcHMiLCJEZWxpdmVyeSIsIkNvbGxhYm9yYXRpb25zIiwiZGVmYXVsdC1yb2xlcy10ZWRpYWwiXX0sInJvbGVzIjoiQWRtaW5pc3RyYXRvcnMsZXZlcnlvbmUsRW5yaWNobWVudCxQbGF0Zm9ybSBBZG1pbixQbGF0Zm9ybSBXRiBEZXNpZ25lcixNaWdyYXRpb24sTG93Q29kZSBXRiBEZXNpZ25lcixQaWNrbGlzdCxQdWJsaXNoaW5nLEluZ2VzdCxvZmZsaW5lX2FjY2VzcyxNb25pdG9yaW5nIE1hbmFnZW1lbnQsdW1hX2F1dGhvcml6YXRpb24sb3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUsSW5nZXN0IE1hbmFnZW1lbnQsTG93Q29kZSBXRiBWaWV3ZXIsTGl2ZSxTY2hlZHVsaW5nLFRlbmFudCBBZG1pbixTaXRlIEFkbWluLEV4Y2hhbmdlLERldmVsLFNoYXJlZCBTaXRlIEFkbWluLFRlZGlhbCBPcHMsRGVsaXZlcnksQ29sbGFib3JhdGlvbnMsZGVmYXVsdC1yb2xlcy10ZWRpYWwiLCJ0ZW5hbnQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiJ9.Im4-elkLPMhdVNbfbfLsrfc-mOlVshHsgU1piISl13CldiKe3BkPycDq1hiIrZB1YbfLUNKH0hk3oRVEzOkhrw&security_tenant=global HTTP/1.1
Host: localhost:5601
Connection: keep-alive
sec-ch-ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9,en;q=0.8

HTTP/1.1 200 OK


.....


GET /api/v1/restapiinfo HTTP/1.1
Host: localhost:5601
Connection: keep-alive
sec-ch-ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"
Content-Type: application/json
osd-xsrf: osd-fetch
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
osd-version: 2.10.0
sec-ch-ua-platform: "Linux"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:5601/app/dashboards?jwtToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2MTZhMDFiYS0zNjQ3LTRiYTQtYjBlMy1jYzdhNDI0ZTkzYzgiLCJ0ZW5hbnRfaWQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiIsIkdyb3VwIjpbIkFkbWluaXN0cmF0b3JzIiwiZXZlcnlvbmUiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwiZGVsZXRlLWFjY291bnQiLCJtYW5hZ2UtY29uc2VudCIsInZpZXctcHJvZmlsZSJdfX0sImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sImlzcyI6InZveWFnZXItZ3ciLCJ0eXAiOiJCZWFyZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbmFtYXlhIiwic2lkIjoiNjFiMjU2YTAtOTEyNS00NDhlLWI2OWQtNWViYjdiYTZhNjI1IiwiYWNyIjoiMCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJFbnJpY2htZW50IiwiUGxhdGZvcm0gQWRtaW4iLCJQbGF0Zm9ybSBXRiBEZXNpZ25lciIsIk1pZ3JhdGlvbiIsIkxvd0NvZGUgV0YgRGVzaWduZXIiLCJQaWNrbGlzdCIsIlB1Ymxpc2hpbmciLCJJbmdlc3QiLCJvZmZsaW5lX2FjY2VzcyIsIk1vbml0b3JpbmcgTWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwib3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUiLCJJbmdlc3QgTWFuYWdlbWVudCIsIkxvd0NvZGUgV0YgVmlld2VyIiwiTGl2ZSIsIlNjaGVkdWxpbmciLCJUZW5hbnQgQWRtaW4iLCJTaXRlIEFkbWluIiwiRXhjaGFuZ2UiLCJEZXZlbCIsIlNoYXJlZCBTaXRlIEFkbWluIiwiVGVkaWFsIE9wcyIsIkRlbGl2ZXJ5IiwiQ29sbGFib3JhdGlvbnMiLCJkZWZhdWx0LXJvbGVzLXRlZGlhbCJdfSwiYXpwIjoicGxhdGZvcm0tdWkiLCJhdXRoX3RpbWUiOjE2OTcxODM1MDUsInNjb3BlIjoib3BlbmlkIG9wZW5zZWFyY2hfc2NvcGUgdGVuYW50X2lkIGVtYWlsIHByb2ZpbGUiLCJleHAiOjE2OTcxODgwMTMsInNlc3Npb25fc3RhdGUiOiI2MWIyNTZhMC05MTI1LTQ0OGUtYjY5ZC01ZWJiN2JhNmE2MjUiLCJpYXQiOjE2OTcxODc0MTMsImp0aSI6IjhhZGJhMjRiLWJmNWItNDAyMC1iZjNlLTU5ZWM1NTdmNjVjYSIsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJvcGVuc2VhcmNoX3JvbGVzIjpbIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl0sImdpdmVuX25hbWUiOiJvc2NhciIsIm5vbmNlIjoiMWJhOWY4NWQtZjEyMi00N2FmLThiNGQtODg4Yzc2ODZkMmE3IiwiYXVkIjpbImFjY291bnQiXSwibmFtZSI6Im9zY2FyIGFtYXlhIiwiZmFtaWx5X25hbWUiOiJhbWF5YSIsInVzZXIiOnsiaWQiOjAsIm5hbWUiOiJvbmFtYXlhIiwiZGVzY3JpcHRpb24iOm51bGwsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjpudWxsLCJyb2xlcyI6WyJBZG1pbmlzdHJhdG9ycyIsImV2ZXJ5b25lIiwiRW5yaWNobWVudCIsIlBsYXRmb3JtIEFkbWluIiwiUGxhdGZvcm0gV0YgRGVzaWduZXIiLCJNaWdyYXRpb24iLCJMb3dDb2RlIFdGIERlc2lnbmVyIiwiUGlja2xpc3QiLCJQdWJsaXNoaW5nIiwiSW5nZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJNb25pdG9yaW5nIE1hbmFnZW1lbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIm9wZW5zZWFyY2hfc2VhcmNoX2FsbF9yb2xlIiwiSW5nZXN0IE1hbmFnZW1lbnQiLCJMb3dDb2RlIFdGIFZpZXdlciIsIkxpdmUiLCJTY2hlZHVsaW5nIiwiVGVuYW50IEFkbWluIiwiU2l0ZSBBZG1pbiIsIkV4Y2hhbmdlIiwiRGV2ZWwiLCJTaGFyZWQgU2l0ZSBBZG1pbiIsIlRlZGlhbCBPcHMiLCJEZWxpdmVyeSIsIkNvbGxhYm9yYXRpb25zIiwiZGVmYXVsdC1yb2xlcy10ZWRpYWwiXX0sInJvbGVzIjoiQWRtaW5pc3RyYXRvcnMsZXZlcnlvbmUsRW5yaWNobWVudCxQbGF0Zm9ybSBBZG1pbixQbGF0Zm9ybSBXRiBEZXNpZ25lcixNaWdyYXRpb24sTG93Q29kZSBXRiBEZXNpZ25lcixQaWNrbGlzdCxQdWJsaXNoaW5nLEluZ2VzdCxvZmZsaW5lX2FjY2VzcyxNb25pdG9yaW5nIE1hbmFnZW1lbnQsdW1hX2F1dGhvcml6YXRpb24sb3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUsSW5nZXN0IE1hbmFnZW1lbnQsTG93Q29kZSBXRiBWaWV3ZXIsTGl2ZSxTY2hlZHVsaW5nLFRlbmFudCBBZG1pbixTaXRlIEFkbWluLEV4Y2hhbmdlLERldmVsLFNoYXJlZCBTaXRlIEFkbWluLFRlZGlhbCBPcHMsRGVsaXZlcnksQ29sbGFib3JhdGlvbnMsZGVmYXVsdC1yb2xlcy10ZWRpYWwiLCJ0ZW5hbnQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiJ9.Im4-elkLPMhdVNbfbfLsrfc-mOlVshHsgU1piISl13CldiKe3BkPycDq1hiIrZB1YbfLUNKH0hk3oRVEzOkhrw&security_tenant=global
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9,en;q=0.8

HTTP/1.1 401 Unauthorized
osd-name: f3445ef669e8
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
set-cookie: security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/
content-length: 66
Date: Fri, 13 Oct 2023 08:58:47 GMT
Connection: keep-alive
Keep-Alive: timeout=120

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

GET /api/v1/configuration/account HTTP/1.1
Host: localhost:5601
Connection: keep-alive
sec-ch-ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"
Content-Type: application/json
osd-xsrf: osd-fetch
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
osd-version: 2.10.0
sec-ch-ua-platform: "Linux"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:5601/app/dashboards?jwtToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2MTZhMDFiYS0zNjQ3LTRiYTQtYjBlMy1jYzdhNDI0ZTkzYzgiLCJ0ZW5hbnRfaWQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiIsIkdyb3VwIjpbIkFkbWluaXN0cmF0b3JzIiwiZXZlcnlvbmUiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwiZGVsZXRlLWFjY291bnQiLCJtYW5hZ2UtY29uc2VudCIsInZpZXctcHJvZmlsZSJdfX0sImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sImlzcyI6InZveWFnZXItZ3ciLCJ0eXAiOiJCZWFyZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbmFtYXlhIiwic2lkIjoiNjFiMjU2YTAtOTEyNS00NDhlLWI2OWQtNWViYjdiYTZhNjI1IiwiYWNyIjoiMCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJFbnJpY2htZW50IiwiUGxhdGZvcm0gQWRtaW4iLCJQbGF0Zm9ybSBXRiBEZXNpZ25lciIsIk1pZ3JhdGlvbiIsIkxvd0NvZGUgV0YgRGVzaWduZXIiLCJQaWNrbGlzdCIsIlB1Ymxpc2hpbmciLCJJbmdlc3QiLCJvZmZsaW5lX2FjY2VzcyIsIk1vbml0b3JpbmcgTWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwib3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUiLCJJbmdlc3QgTWFuYWdlbWVudCIsIkxvd0NvZGUgV0YgVmlld2VyIiwiTGl2ZSIsIlNjaGVkdWxpbmciLCJUZW5hbnQgQWRtaW4iLCJTaXRlIEFkbWluIiwiRXhjaGFuZ2UiLCJEZXZlbCIsIlNoYXJlZCBTaXRlIEFkbWluIiwiVGVkaWFsIE9wcyIsIkRlbGl2ZXJ5IiwiQ29sbGFib3JhdGlvbnMiLCJkZWZhdWx0LXJvbGVzLXRlZGlhbCJdfSwiYXpwIjoicGxhdGZvcm0tdWkiLCJhdXRoX3RpbWUiOjE2OTcxODM1MDUsInNjb3BlIjoib3BlbmlkIG9wZW5zZWFyY2hfc2NvcGUgdGVuYW50X2lkIGVtYWlsIHByb2ZpbGUiLCJleHAiOjE2OTcxODgwMTMsInNlc3Npb25fc3RhdGUiOiI2MWIyNTZhMC05MTI1LTQ0OGUtYjY5ZC01ZWJiN2JhNmE2MjUiLCJpYXQiOjE2OTcxODc0MTMsImp0aSI6IjhhZGJhMjRiLWJmNWItNDAyMC1iZjNlLTU5ZWM1NTdmNjVjYSIsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJvcGVuc2VhcmNoX3JvbGVzIjpbIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl0sImdpdmVuX25hbWUiOiJvc2NhciIsIm5vbmNlIjoiMWJhOWY4NWQtZjEyMi00N2FmLThiNGQtODg4Yzc2ODZkMmE3IiwiYXVkIjpbImFjY291bnQiXSwibmFtZSI6Im9zY2FyIGFtYXlhIiwiZmFtaWx5X25hbWUiOiJhbWF5YSIsInVzZXIiOnsiaWQiOjAsIm5hbWUiOiJvbmFtYXlhIiwiZGVzY3JpcHRpb24iOm51bGwsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjpudWxsLCJyb2xlcyI6WyJBZG1pbmlzdHJhdG9ycyIsImV2ZXJ5b25lIiwiRW5yaWNobWVudCIsIlBsYXRmb3JtIEFkbWluIiwiUGxhdGZvcm0gV0YgRGVzaWduZXIiLCJNaWdyYXRpb24iLCJMb3dDb2RlIFdGIERlc2lnbmVyIiwiUGlja2xpc3QiLCJQdWJsaXNoaW5nIiwiSW5nZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJNb25pdG9yaW5nIE1hbmFnZW1lbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIm9wZW5zZWFyY2hfc2VhcmNoX2FsbF9yb2xlIiwiSW5nZXN0IE1hbmFnZW1lbnQiLCJMb3dDb2RlIFdGIFZpZXdlciIsIkxpdmUiLCJTY2hlZHVsaW5nIiwiVGVuYW50IEFkbWluIiwiU2l0ZSBBZG1pbiIsIkV4Y2hhbmdlIiwiRGV2ZWwiLCJTaGFyZWQgU2l0ZSBBZG1pbiIsIlRlZGlhbCBPcHMiLCJEZWxpdmVyeSIsIkNvbGxhYm9yYXRpb25zIiwiZGVmYXVsdC1yb2xlcy10ZWRpYWwiXX0sInJvbGVzIjoiQWRtaW5pc3RyYXRvcnMsZXZlcnlvbmUsRW5yaWNobWVudCxQbGF0Zm9ybSBBZG1pbixQbGF0Zm9ybSBXRiBEZXNpZ25lcixNaWdyYXRpb24sTG93Q29kZSBXRiBEZXNpZ25lcixQaWNrbGlzdCxQdWJsaXNoaW5nLEluZ2VzdCxvZmZsaW5lX2FjY2VzcyxNb25pdG9yaW5nIE1hbmFnZW1lbnQsdW1hX2F1dGhvcml6YXRpb24sb3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUsSW5nZXN0IE1hbmFnZW1lbnQsTG93Q29kZSBXRiBWaWV3ZXIsTGl2ZSxTY2hlZHVsaW5nLFRlbmFudCBBZG1pbixTaXRlIEFkbWluLEV4Y2hhbmdlLERldmVsLFNoYXJlZCBTaXRlIEFkbWluLFRlZGlhbCBPcHMsRGVsaXZlcnksQ29sbGFib3JhdGlvbnMsZGVmYXVsdC1yb2xlcy10ZWRpYWwiLCJ0ZW5hbnQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiJ9.Im4-elkLPMhdVNbfbfLsrfc-mOlVshHsgU1piISl13CldiKe3BkPycDq1hiIrZB1YbfLUNKH0hk3oRVEzOkhrw&security_tenant=global
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9,en;q=0.8

HTTP/1.1 401 Unauthorized
osd-name: f3445ef669e8
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
set-cookie: security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/
content-length: 66
Date: Fri, 13 Oct 2023 08:58:47 GMT
Connection: keep-alive
Keep-Alive: timeout=120

...
@dbanshee dbanshee added bug Something isn't working untriaged labels Oct 13, 2023
@manasvinibs
Copy link
Member

Hi @dbanshee
Thanks for reaching out! Can you share a recorded video of the issue you are facing to re-pro?

@opensearch-project/admin Could you please help transfer this to Dashboards security team to look into?

@gaiksaya gaiksaya transferred this issue from opensearch-project/OpenSearch-Dashboards Oct 19, 2023
@cwperks cwperks added triaged help wanted Extra attention is needed, need help from community and removed untriaged triaged labels Oct 23, 2023
@cwperks
Copy link
Member

cwperks commented Oct 23, 2023

[Triage] @dbanshee Thank you for filing this issue and providing an example configuration. @RyanL1997 Can you confirm if you can reproduce the issue from the description?

@RyanL1997
Copy link
Collaborator

For the case without the iframe, I wasn't able to create the issue. I will go thru provided configuration again, but what I have found that:

set-cookie: security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/

The expiration on this doesn't seem correct.

@dbanshee
Copy link
Author

Hi again. I'll provide another example. Hope it helps.

Video showing infinite loop on browser

Dashboard link generated by Open-dashboards (added manually jwtToken url_param

http://l:5601/app/dashboards?jwtToken=
eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiI2MTZhMDFiYS0zNjQ3LTRiYTQtYjBlMy1jYzdhNDI0ZTkzYzgiLCJ0ZW5hbnRfaWQiOiJ0ZWRpYWxfc3dvcmtkZXYwMiIsIkdyb3VwIjpbIkFkbWluaXN0cmF0b3JzIiwiZXZlcnlvbmUiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwiZGVsZXRlLWFjY291bnQiLCJtYW5hZ2UtY29uc2VudCIsInZpZXctcHJvZmlsZSJdfX0sImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sImlzcyI6InZveWFnZXItZ3ciLCJ0eXAiOiJCZWFyZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbmFtYXlhIiwic2lkIjoiODJjZTFlNzgtMzAwOC00ZTAzLWIyYjQtNDZiODJkN2ZkYjc0IiwiYWNyIjoiMCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJFbnJpY2htZW50IiwiUGxhdGZvcm0gQWRtaW4iLCJQbGF0Zm9ybSBXRiBEZXNpZ25lciIsIk1pZ3JhdGlvbiIsIkxvd0NvZGUgV0YgRGVzaWduZXIiLCJQaWNrbGlzdCIsIlB1Ymxpc2hpbmciLCJJbmdlc3QiLCJvZmZsaW5lX2FjY2VzcyIsIk1vbml0b3JpbmcgTWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwib3BlbnNlYXJjaF9zZWFyY2hfYWxsX3JvbGUiLCJJbmdlc3QgTWFuYWdlbWVudCIsIkxvd0NvZGUgV0YgVmlld2VyIiwiTGl2ZSIsIlNjaGVkdWxpbmciLCJUZW5hbnQgQWRtaW4iLCJTaXRlIEFkbWluIiwiRXhjaGFuZ2UiLCJEZXZlbCIsIlNoYXJlZCBTaXRlIEFkbWluIiwiVGVkaWFsIE9wcyIsIkRlbGl2ZXJ5IiwiQ29sbGFib3JhdGlvbnMiLCJkZWZhdWx0LXJvbGVzLXRlZGlhbCJdfSwiYXpwIjoicGxhdGZvcm0tdWkiLCJhdXRoX3RpbWUiOjE2OTg3NDIyNDEsInNjb3BlIjoib3BlbmlkIG9wZW5zZWFyY2hfc2NvcGUgdGVuYW50X2lkIGVtYWlsIHByb2ZpbGUiLCJleHAiOjE2OTg3NDQ4MzIsInNlc3Npb25fc3RhdGUiOiI4MmNlMWU3OC0zMDA4LTRlMDMtYjJiNC00NmI4MmQ3ZmRiNzQiLCJpYXQiOjE2OTg3NDQyMzIsImp0aSI6IjA4MzA3YTlmLTViN2UtNGEwZC1hYzYzLTViM2E2NWE1NmY2ZSIsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJvcGVuc2VhcmNoX3JvbGVzIjpbIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl0sImdpdmVuX25hbWUiOiJvc2NhciIsIm5vbmNlIjoiNjc3MDJmNWUtNWU3Ni00MGZmLTg5MzktZThhZTlkZWZhZGZiIiwiYXVkIjpbImFjY291bnQiXSwibmFtZSI6Im9zY2FyIGFtYXlhIiwiZmFtaWx5X25hbWUiOiJhbWF5YSIsInVzZXIiOnsiaWQiOjAsIm5hbWUiOiJvbmFtYXlhIiwiZGVzY3JpcHRpb24iOm51bGwsImVtYWlsIjoib25hbWF5YUB0ZWRpYWwuY29tIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjoiIiwicm9sZXMiOlsiQWRtaW5pc3RyYXRvcnMiLCJldmVyeW9uZSIsIkVucmljaG1lbnQiLCJQbGF0Zm9ybSBBZG1pbiIsIlBsYXRmb3JtIFdGIERlc2lnbmVyIiwiTWlncmF0aW9uIiwiTG93Q29kZSBXRiBEZXNpZ25lciIsIlBpY2tsaXN0IiwiUHVibGlzaGluZyIsIkluZ2VzdCIsIm9mZmxpbmVfYWNjZXNzIiwiTW9uaXRvcmluZyBNYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJvcGVuc2VhcmNoX3NlYXJjaF9hbGxfcm9sZSIsIkluZ2VzdCBNYW5hZ2VtZW50IiwiTG93Q29kZSBXRiBWaWV3ZXIiLCJMaXZlIiwiU2NoZWR1bGluZyIsIlRlbmFudCBBZG1pbiIsIlNpdGUgQWRtaW4iLCJFeGNoYW5nZSIsIkRldmVsIiwiU2hhcmVkIFNpdGUgQWRtaW4iLCJUZWRpYWwgT3BzIiwiRGVsaXZlcnkiLCJDb2xsYWJvcmF0aW9ucyIsImRlZmF1bHQtcm9sZXMtdGVkaWFsIl19LCJyb2xlcyI6IkFkbWluaXN0cmF0b3JzLGV2ZXJ5b25lLEVucmljaG1lbnQsUGxhdGZvcm0gQWRtaW4sUGxhdGZvcm0gV0YgRGVzaWduZXIsTWlncmF0aW9uLExvd0NvZGUgV0YgRGVzaWduZXIsUGlja2xpc3QsUHVibGlzaGluZyxJbmdlc3Qsb2ZmbGluZV9hY2Nlc3MsTW9uaXRvcmluZyBNYW5hZ2VtZW50LHVtYV9hdXRob3JpemF0aW9uLG9wZW5zZWFyY2hfc2VhcmNoX2FsbF9yb2xlLEluZ2VzdCBNYW5hZ2VtZW50LExvd0NvZGUgV0YgVmlld2VyLExpdmUsU2NoZWR1bGluZyxUZW5hbnQgQWRtaW4sU2l0ZSBBZG1pbixFeGNoYW5nZSxEZXZlbCxTaGFyZWQgU2l0ZSBBZG1pbixUZWRpYWwgT3BzLERlbGl2ZXJ5LENvbGxhYm9yYXRpb25zLGRlZmF1bHQtcm9sZXMtdGVkaWFsIiwidGVuYW50IjoidGVkaWFsX3N3b3JrZGV2MDIiLCJzaXRlIjoiIn0._oHVPy9PTEJbpoZjzQNSqqyK0rTJjVG8sj0VHSBAAtiebFD6zDqp3x_P4WHLlg8okF-flBX5uRwHW9J7U6CJYg&security_tenant=global#/view/88784cf0-9f9d-11ec-9b44-4d7f75aed853

Full opensearch config file:

---
cluster.name: docker-cluster

# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# discovery.zen.minimum_master_nodes: 1

# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# discovery.type: single-node

######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Full opensearch security config file:

---

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    #kibana:
    # Kibana multitenancy
    #multitenancy_enabled: true
    #private_tenant_enabled: true
    #default_tenant: ""
    #server_username: kibanaserver
    #index: '.kibana'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            # Shared Secret from AuthService
            signing_key: "<my_secret>"
            jwt_header: "Authorization"
            jwt_url_parameter: "jwtToken"
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: opensearch_roles
            subject_key: preferred_username
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          #config goes here ...

Full opensearch-dashboards config file:

opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
server.host: '0.0.0.0'

opensearch_security.auth.type: "jwt"
opensearch_security.jwt.url_param: jwtToken
opensearch_security.jwt.enabled: true

Full tcpdump when access the permalink on chrome (captured on 5601 port)
capture_file

@stephen-crawford
Copy link
Contributor

Hey @RyanL1997 can you follow-up on this again? Thanks.

@RyanL1997
Copy link
Collaborator

Hi @dbanshee thanks for the details. After some investigation, I still couldn't reproduce the loop on my local, however, I do have trouble to access to permlink of dashboard with jwt param added:

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

I'm actively looking into it and I will update my setup in the next comment.

@dbanshee
Copy link
Author

Thanks @RyanL1997 let me know if you need anything.

@stephen-crawford
Copy link
Contributor

Hi @dbanshee, were you able to address this issue or did you work with @RyanL1997 to? If not, we will need to revisit this.

@dbanshee
Copy link
Author

Hello @scrawfor99.

I still have the problem. All I know is what is in this thread.

@stephen-crawford
Copy link
Contributor

[Triage] Thanks for following up @dbanshee. Going to mark this bug as triaged so that someone takes a look.

@cwperks
Copy link
Member

cwperks commented Dec 14, 2023

@dbanshee I was able to replicate your issue and see now that its due to the JWT being too large. If its possible to reduce the size of the token, that could help get you immediately beyond this issue, but a longer term fix could be to extend #1352 to the JWT backend as well.

I made a POC on a branch here which resolves the issue, but need to add tests to verify the behavior.

@dbanshee
Copy link
Author

thank you @cwperks
This workaround is very useful.
It would be great if the limit was higher in future releases, but maybe we can clean up our token in the meantime.

@cwperks cwperks mentioned this issue Dec 18, 2023
Merged
3 tasks
@cwperks
Copy link
Member

cwperks commented Apr 24, 2024

Closing this ticket as resolved. Cookie splitting was extended to JWT authentication.

@cwperks cwperks closed this as completed Apr 24, 2024
@dbanshee
Copy link
Author

Thanks for all @cwperks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed, need help from community triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dbanshee @cwperks @stephen-crawford @manasvinibs @RyanL1997