Files

T

Jo 4f924a9b97 Add JWT url auth documentation (#54040 ) (#54689 )

* add jwt auth docs

* add appropriate warnings to docs

* remove unimplemented login_token assumptions

* Update conf/sample.ini

(cherry picked from commit 4952b7f22d)

2022-09-05 04:05:01 -04:00

cloak.sql

Auth: Implement Token URL JWT Auth (#52662 )

2022-07-27 16:10:47 +02:00

docker-build-keycloak-m1-image.sh

JWT: Add JWT proxy setup devenv (#51731 )

2022-07-07 10:28:04 -04:00

docker-compose.yaml

JWT: Add JWT proxy setup devenv (#51731 )

2022-07-07 10:28:04 -04:00

jwks.json

JWT: Add JWT proxy setup devenv (#51731 )

2022-07-07 10:28:04 -04:00

readme.md

Add JWT url auth documentation (#54040 ) (#54689 )

2022-09-05 04:05:01 -04:00

readme.md

OAUTH BLOCK

Devenv setup jwt auth

To launch the block, use the oauth source. Ex:

make devenv sources="jwt_proxy"

Here is the conf you need to add to your configuration file (conf/custom.ini):

[auth]
signout_redirect_url = http://127.0.0.1:8088/oauth2/sign_out

[auth.jwt]
enabled = true
header_name = X-Forwarded-Access-Token
username_claim = login
email_claim = email
jwk_set_file = devenv/docker/blocks/oauth/jwks.json
cache_ttl = 60m
expected_claims = {"iss": "http://localhost:8087/auth/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true

Access Grafana through:

http://127.0.0.1:8088

Devenv setup jwt auth iframe embedding

Add previous configuration and next snippet to grafana.ini

[security]
allow_embedding = true

Create dashboard and copy UID
Clone https://github.com/grafana/grafana-iframe-oauth-sample
Change the dashboard URL in grafana-iframe-oauth-sample/src/pages/restricted.tsx to use the dashboard you created (keep URL query values)
Start sample app from the grafana-iframe-oauth-sample folder with: yarn start
Navigate to http://localhost:4200 and press restricted area

Note: You may need to grant the JWT user in grafana access to the datasources and the dashboard

Backing up keycloak DB

In case you want to make changes to the devenv setup, you can dump keycloack's DB:

cd devenv;
docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/jwt_proxy/cloak.sql

Connecting to keycloack:

keycloak admin: http://localhost:8087
keycloak admin login: admin:admin
grafana jwt viewer login: jwt-viewer:grafana
grafana jwt editor login: jwt-editor:grafana
grafana jwt admin login: jwt-admin:grafana

Troubleshooting

Mac M1 Users

The new arm64 architecture does not build for the latest docker image of keycloack. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved. Until then you need to build the docker image locally and then run devenv.

Remove any lingering keycloack image

$ docker rmi $(docker images | grep 'keycloack')

Build keycloack image locally

$ ./docker-build-keycloack-m1-image.sh

Start from beginning of this readme