-
What Grafana version and what operating system are you using?
- Grafana Version: v10.1.4
- Operating System: Ubuntu 20.04.6 LTS
-
What are you trying to achieve?
- Embed Grafana in an Iframe with authentication via Reverse Proxy.
- How are you trying to achieve it?
- We have installed Grafana locally, which is hosted at http://localhost:3000
- We have Drawn some Graphs in Grafana and are embedding the same in the React APP
- Since we cannot keep the Graphs open for all, we are planning to implement the JWT-based authentication, which is mentioned in the documentation
- We are embedding the nginx reverse proxy link in the Iframes,
- For now we have hardcoded the auth token in the Nginx, Reverse Proxy and the Graphs loads and embeds fine
- What happened?
- We are passing the auth token to Grafana via Reverse Proxy and subsequently Grafana done some API calls as below and they seem to throw authentication error since the token is not passed to them internally via Grafana (If we hardocode the token for API calls it seems to work).
- This seems to work fine with url_login approach where a separate token is generated by Grafana and passed for the Subsequent API calls.
API Calls
-
api/dashboards/uid/ac6c1ca8-d858-4687-9a7b-33ee578e47bf
-
api/annotations?from=1675195533000&to=1688198176000&limit=100&matchAny=false&dashboardUID=ac6c1ca8-d858-4687-9a7b-33ee578e47bf
-
api/ds/query
-
api/ds/query?ds_type=mysql&requestId=Q100
-
What did you expect to happen?
- Grafana should internally send the auth token for the subsequent API calls on its own (as it works for the url_login approach) since we will not be able to identify if the API call has genuinely come from Grafana from Grafana or Postman.
- Can you copy/paste the configuration(s) that you are having problems with?
- Grafana
allow_embedding = true
[auth.jwt]
enabled = true
header_name = X-WEBAUTH-USER
; jwk_set_file = /etc/grafana/jwks.json
; email_claim = sub
; username_claim = sub
jwk_set_file = /etc/grafana/jwksjson
email_claim = username
username_claim = username
;jwk_set_url = https://foo.bar/.well-known/jwks.json
cache_ttl = 60m
;key_file = public_key.pem
;role_attribute_path =
;role_attribute_strict = false
auto_sign_up = true
url_login = true
;allow_assign_grafana_admin = false
Nginx
http {
# This is required to proxy Grafana Live WebSocket connections.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream grafana {
server localhost:3000;
}
server {
listen 99;
root /usr/share/nginx/html;
index index.html index.htm;
# location /api {
# proxy_pass http://localhost:3000/api;
# }
location /api {
proxy_pass http://localhost:3000/api;
}
location / {
proxy_set_header X-WEBAUTH-USER <JWT_AUTH_TOKEN>;
proxy_set_header Host $host;
proxy_pass http://localhost:3000;
}
# Proxy Grafana Live WebSocket connections.
location /api/live/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://localhost:3000/api/live/;
}
}
}
events {}
- Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
For the API calls we are getting Unauthorized error
eg API /api/login/ping we are getting response
message “Unauthorized”
We are expecting Grafana to pass the auth token for all subsequent API calls as this is Grafanas internal functionality.
- Did you follow any online instructions? If so, what is the URL?
yes, all instructions were followed from the official documentation.
