[Security] Use refresh token for any access token error with 401 status code and re-initiate SAML handshake for any refresh token error with 400 status code #33646
Labels
enhancement
New value added to drive a business result
Feature:Security/Authentication
Platform Security - Authentication
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Currently Kibana tries to use refresh token only if it gets access token error with
token expired
description and also automatically re-initiates SAML handshake only if refreshing fails with one of these errors, otherwise we just return error to the user:Based on conversations in elastic/elasticsearch#39808 (comment) and #22905 (comment) it seems it'd make sense to NOT analyze specific reason (
error_description
orreason
fields of the error) and try to use refresh token for any access token error with 401 status code and re-initiate SAML handshake for any refresh token error with 400 status code.Depends on elastic/elasticsearch#38866(we added a special handling of 500 error with a specific error message that we'll get rid of once ES issue is resolved)Fixes #22905
The text was updated successfully, but these errors were encountered: