CA for auth.jwt jwk_set_url

  • What Grafana version and what operating system are you using?

helm chart 6.43.0
App 9.2.1

  • What are you trying to achieve?

Login by passing JWT token in URL

  • How are you trying to achieve it?
        enabled: true
        jwk_set_url: https://<URL>/dex/keys
        role_attribute_path: "contains(groups[*], 'GrafanaAdmin') && 'Admin' || 'Viewer'"
        url_login: true
        auto_sign_up: true
        enable_login_token: true
        header_name: X-Forwarded-Access-Token
  • What happened?

Auth fails, seems the problem is when it tries to get the Key set, https request fails because it doesn’t trust the CA

logger=auth.jwt t=2022-11-07T10:54:31.941329221Z level=debug msg="Parsing JSON Web Token"
logger=auth.jwt t=2022-11-07T10:54:31.941565034Z level=debug msg="Getting key set from endpoint" url=https://<URL>/dex/keys
logger=context t=2022-11-07T10:54:31.952928887Z level=debug msg="Failed to verify JWT" error="Get \"https://<URL>/dex/keys\": x509: certificate signed by unknown authority"
logger=context t=2022-11-07T10:54:31.952955519Z level=error msg="Invalid JWT" error="Get \"https://<URL>/dex/keys\": x509: certificate signed by unknown authority" traceID=

So, how do you configure the CA use when connecting to the jwk_set_url?

Hi @conormarkmurphy,

Thanks for opening this post.

I can only try to help here as I have only basic knowledge of JWT. I worked on this post where I post an answer with some details about the basic steps on how to configure JWT.

Maybe this can help you to get closer to solving the CA issue. Also, worth to mention to check this video link which explains about the signature-based certificate with JWT and use httfps:// for live debugging (which I also used).

I hope this helps. and maybe some other community member could provide more details on this post.

I afraid that doesn’t really help as issue here is that Grafana fails to get the key set needed to validate the JWT because it can’t verify the CA of the remote server

Make sure your Grafana has CA certs available. Check used OS/deployment tool how you can provision CA certs into your container. By default Golang uses these locations: - The Go Programming Language