I would like to use Haproxy as a frontend for my application which doesn’t do any authentication by itself. A user would log into Grafana using OAuth and the Forward OAuth Identity feature should pass on the user’s OAuth to Haproxy.
These are the id_token fields I receive on Grafana from my Ping Identity SSO platform.
{
"sub": "myuser",
"aud": "grafana-oauth2",
"jti": "xxxxxxxxxxxxxxxxxxxxxx",
"iss": "https://foo.com",
"iat": 1606876939,
"exp": 1606877239,
"auth_time": 1606876918,
"firstName": "John",
"lastName": "Doe",
"emailAddress": "john@foo.com",
"firmId": "xxxx",
"loginType": "100",
"given_name": "John",
"family_name": "Doe",
"uuid": "1234567"
}
On Haproxy, after decoding the received JWT token using https://github.com/haproxytech/haproxy-lua-jwt (confirmed with https://jwt.io), I get the following fields. At the same time the signature in the forwarded JWT token doesn’t match it’s header and payload and the Lua script throws a Signature not valid. exception.
Decoded JWT header: { ["pi.atm"] = qoof,["alg"] = RS256,["kid"] = someCert,}
Decoded JWT payload: { ["exp"] = 1606963038,["username"] = myuser,["scope"] = { [1] = openid,[2] = profile,[3] = email,} ,["accesslevels"] = NO_ACCESS_DATA,["client_id"] = grafana-oauth2,["employeeid"] = 1234567,["sessionId"] = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxx-x,}
Why are the forwarded fields different between what I received from the SSO platform and what is forwarded from Grafana to Haproxy? How can I forward the original fields from Grafana to Haproxy?