Viewing Canvas workpads causes incorrect session timeout #56157
Description
Kibana version: Tested on 7.5.1 and 7.5.3, likely exists in other versions.
Describe the bug:
When Kibana is configured to use an auth provider which leverages the ES Token service (essentially anything except the basic auth provider), then viewing a Canvas workpad will eventually fail for users due to an expired session.
Kibana's security plugin is responsible for automatically refreshing these token-backed sessions, but the /api/interpreter/fns route has special handling which is preventing the security plugin from sending the updated session cookie to the end-user.
When viewing a Canvas workpad on auto-refresh, often the only request made to Kibana is /api/interpreter/fns. Since this is the only route getting hit, and this route does not send the cookie correctly, we end up ending the user's session.
Steps to reproduce:
- Configure Kibana with the
tokenauth provider, or similar provider - Create Canvas workpad, set to auto-refresh. It's important that this workpad does not use a Timelion data source.
- Wait 20 minutes
- Notice the workpad fails to update after ~20 minutes, and the user session is terminated.
Expected behavior:
The session should be refreshed via a Set-Cookie response header, like all other Kibana routes.
Any additional context:
https://discuss.elastic.co/t/losing-a-session-in-a-canvas
Big thanks to Dennis_Rietvink for reporting and helping diagnose the issue.
Workaround
Including a timelion expression as part of your workpad should workaround this issue, as this calls a different endpoint, which correctly handles session updates.
/cc @elastic/kibana-security