Embedded Grafana in iframe and JWT authentication

I’m trying to get an access (via Nginx proxy) to embedded Grafana in my web application via auth0 (JWT token) authentication.

Nginx address: IP_ADDRESS
Grafana address: https://grafana.domain.pl
Web app address: https://domain.pl

Grafana version is 8.5.1

Some grafana.ini sections:

[security]
cookie_samesite = disabled 
allow_embedding = true
cookie_secure = true
cookie_httponly = true

[auth.generic_oauth]
enabled = true
name = OAuth
client_secret = CLIENT_SECRET
client_id = CLIENT_ID
scopes = orgs openid profile roles email
auth_url = https://domain.eu.auth0.com/authorize
token_url = https://domain.eu.auth0.com/oauth/token
api_url = https://domain.eu.auth0.com/userinfo
use_pkce = true

[auth]
oauth_auto_login = true
signout_redirect_url = https://grafana.domain.pl/
disable_login_form = true

[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
username_claim = email
email_claim = email
jwk_set_url = https://domain.eu.auth0.com/.well-known/jwks.json
cache_ttl = 60m
auto_sign_up = true

Nginx proxy config:

location /login {
    proxy_set_header X-JWT-Assertion "${arg_mytoken}";
    proxy_pass https://GRAFANA_IP:3000;
    proxy_cookie_path / "/; SameSite=None; HTTPOnly; Secure";
}

My PHP code after taking a token:

$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_PORT => '3000',
CURLOPT_URL => 'https://grafana.domain.pl/login',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 10,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_HTTPHEADER => array('X-JWT-Assertion:' . $token),
));
$response = curl_exec($curl);

When I log in to my web app via auth0, embedded Grafana is showing me auth0 login form. I want to have authenticated Grafana. The Auth0 keys for Web app and Grafana are the same. Callbacks are ok too.

Hi,

I think you are sending token in header and trying to read from the argument in nginx.

I don’t know PHP but what it looks like to me is that you are not sending any token in the argument instead you are sending in header.

I think in nginx it should be something like below

proxy_set_header X-JWT-Assertion $http_authorization;

Thanks, It helped me but I’m getting an error in logs:

Skipping OAuth auto login because multiple OAuth providers are configured

And I have only 1 OAuth provider configured :frowning:

1 oAuth configured on which stack?

Can you explain me that a little better? :slight_smile:
I have only [auth.generic_oauth] and [auth.jwt] configured.

you have 3 stacks that I can tell

  • ngnix
  • php
  • grafana

Which one do you have auth configure ond? it could be you also might have it configured in the other stacks

PHP webapp and Grafana. Same Auth0 data (etc. client_id, client_secret). When I’m logging to my webapp I want to have authorize automaticaly embedded Grafana in iframes.

auth jwt doesn’t make sense for this use case, disable that one - GitHub - jangaraj/grafana-iframe

1 Like

Thanks. JWT is needed because I have many Grafana instances and JWT token has informations that I use to assign user access to proper Grafana instance.

For example: user anon@example.com has access to https://example.com/grafana/instance1 only and user anon2@example.com has access to 3 instances.

Ok, it looks like you wish to have an authorization. But auth. jwt is for authentication, not authorization. So auth jwt still doesn’t make sense here.

I want:

  1. Log in to webapp via Auth0
  2. Embedded Grafana should authorize too (same Auth0)
  3. Grafana should get JWT token and authenticate user

I would recommend to read a doc. My advice is clear: remove jwt. Yes, OIDC is based on jwt but it doesn’t mean you have to have jwt auth in the grafana. Use role mapping for authorization.