CA for auth.jwt jwk_set_url

conormarkmurphy · November 7, 2022, 11:04am

What Grafana version and what operating system are you using?

helm chart 6.43.0
App 9.2.1

What are you trying to achieve?

Login by passing JWT token in URL

How are you trying to achieve it?

    auth.jwt:
        enabled: true
        jwk_set_url: https://<URL>/dex/keys
        role_attribute_path: "contains(groups[*], 'GrafanaAdmin') && 'Admin' || 'Viewer'"
        url_login: true
        auto_sign_up: true
        enable_login_token: true
        header_name: X-Forwarded-Access-Token

What happened?

Auth fails, seems the problem is when it tries to get the Key set, https request fails because it doesn’t trust the CA

logger=auth.jwt t=2022-11-07T10:54:31.941329221Z level=debug msg="Parsing JSON Web Token"
logger=auth.jwt t=2022-11-07T10:54:31.941565034Z level=debug msg="Getting key set from endpoint" url=https://<URL>/dex/keys
logger=context t=2022-11-07T10:54:31.952928887Z level=debug msg="Failed to verify JWT" error="Get \"https://<URL>/dex/keys\": x509: certificate signed by unknown authority"
logger=context t=2022-11-07T10:54:31.952955519Z level=error msg="Invalid JWT" error="Get \"https://<URL>/dex/keys\": x509: certificate signed by unknown authority" traceID=

So, how do you configure the CA use when connecting to the jwk_set_url?

usman.ahmad · November 16, 2022, 2:33pm

Hi @conormarkmurphy,

Thanks for opening this post.

I can only try to help here as I have only basic knowledge of JWT. I worked on this post where I post an answer with some details about the basic steps on how to configure JWT.

Maybe this can help you to get closer to solving the CA issue. Also, worth to mention to check this video link which explains about the signature-based certificate with JWT and use httfps://jwt.io/ for live debugging (which I also used).

I hope this helps. and maybe some other community member could provide more details on this post.

conormarkmurphy · November 21, 2022, 8:08pm

I afraid that doesn’t really help as issue here is that Grafana fails to get the key set needed to validate the JWT because it can’t verify the CA of the remote server

jangaraj · November 21, 2022, 8:59pm

Make sure your Grafana has CA certs available. Check used OS/deployment tool how you can provision CA certs into your container. By default Golang uses these locations: - The Go Programming Language

Topic		Replies	Views
Jwt errors encountered Authentication	5	395	October 28, 2024
Grafana JWT Authentication jwk_set_url Clarification Authentication	3	219	November 5, 2024
Jwk_set_url doesn't pass certificate check Authentication	0	465	October 24, 2022
JWT Authentication Error in Grafana Authentication configuration , oauth , jwt	2	2207	September 6, 2022
Authenticate via auth jwt Authentication jwt	0	411	December 21, 2023

CA for auth.jwt jwk_set_url

Related topics