Collect usage data on proxy-based authentication mechanisms

[legrego]

Most users who run with security enabled login using Kibana's built-in login flows, for both internal and external authentication realms.

Some setups are a bit more esoteric. Users with unique auth needs will sometimes place a reverse-proxy in front of Kibana, and have the proxy pass an Authorization header to Kibana. This will cause us to bypass the login form altogether.

Users authenticating via an Authorization header lack the following features:

• Session management (login, logout, session idle timeout, session lifespan)
• Access agreement

As we build more features on top of user sessions, it is becoming increasingly important to understand when human users have authenticated to Kibana in this way. We should collect usage data to record:

• How often an interactive/human users authenticate in this manner
• Which authentication scheme is used (e.g. basic, bearer, ApiKey, etc.)

Note that we do not need to record machine/API access. We should only record this information when Kibana is loaded in a browser for interactive use.

---

High-level thoughts:

1. Determine if the user is within an "interactive session". In other words, we want to ensure that this is not programmatic/API access. This can be accomplished simply by running code in the client-side security plugin, as this will never be executed by a conventional API call.
2. If an interactive session is detected, then we want to record the following from the AuthenticatedUser model:
   • authentication_realm.type
   • lookup_realm.type
   • authentication_provider.type
   • authentication_type
3. We should make every effort to not over-record this information. While these users don't have a real Kibana session, we should explore other means of detecting a session, such as sessionStorage, so that we do not record this information too frequently.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)