Authentication issue (Grafana --OIDC–> Keycloak --OIDC–> 3rd-party-IdP)

Hello,

I’m having troubles with Grafana authentication.
My setup is as following:

• Grafana is configured to allow login with generic OAuth
• I use Keycloak for identity provider
• Keycloak is configured to allow login with other identity providers (Google, Microsoft, etc.)

The issue happens in following scenario:

1. I go to Grafana login page and click sign in with OAuth (Keycloak)
2. I sign in to Keycloak with a 3rd party identity provider (Google or any other)
3. I get redirected back to Grafana login page with an error: “Login failed. User sync failed”.

Grafana log gets a warning: logger=authn.service t=2024-09-24T01:02:51.046510858Z level=warn msg="Failed to authenticate request" client=auth.client.session error="user token not found".

OAuth login works fine if I use username/password login in Keycloak, the issue happens only if I use social login. Also, same scenario (App --OIDC–> Keycloak --OIDC–> 3rd-Party-IdP) works fine for other apps (Graylog, Portainer), so the issue is specific to Grafana.

Any tips on how to debug the issue would be greatly appreciated.
Thanks.

Grafana debug logs, browser console.

Turns out the issue was caused by user emails collision.
The issue happens in following scenario:

• Grafana has a user authenticated over OIDC with Keycloak via username/password login with email foo@boo.com.
• You get “Login failed. User sync failed” error if you try to log in to Grafana by authenticating with Keycloak via 3rd party IdP using same email foo@boo.com.

Hello, I have a similar problem to yours. Could you please tell me how you solved it in the end? Thanks a lot!