Generate JWKS for jwt authentication

Hi, I’m using Grafana 9.4.7 and I’m trying to implement jwt authentication.
Is there an example on how to generate JWKS.json?
This is my configuration file:

protocol = https
domain = my-ip
cert_file = C:\Program Files\GrafanaLabs\grafana\etc\grafana.crt
cert_key = C:\Program Files\GrafanaLabs\grafana\etc\grafana.key
cookie_secure = true
cookie_samesite = none
allow_embedding = true
enabled = true
header_name = X-JWT-Assertion
email_claim = sub
username_claim = sub

When I launch I obviously obtain the following error in the console:

key set for jwt verification is not configured

1 Like


Generating this file isn’t a Grafana step at all, it’s a general thing required by many applications to configure this kind of functionality. This tutorial that I found is a great starter on how to do it:

More importantly, let’s cover briefly the thought process behind why we’re running all of these cryptic commands:

  1. The OpenSSL steps are creating keys used to generating a certificate (in a format called PEM) that is used for signing cryptographic messages

(step 4 in his tutorial). The “eckles” step that he does is just about transforming a PEM-formatted certificate into JWK format. There are a variety of online tools that can do the same.

what you end up with is a file that should be suitable to use in grafana config as you already understand.

Here’s a link to the relevant bits in our documentation: Configure JWT Authentication | Grafana documentation


When I try to execute step 4 with eckles, I obtain the following error

When I try with an online tool, I receive this error:

What is the cause?

1 Like

It looks like the eckles tool has some error or bug; I’m not the author so I’m not sure.

You can either check with that tool, or you can use another equivalent tool for the same step. The step in question has to do with turning a PEM file into a JWK file. There are other utilities which do the same thing online like this:

Conceptually, the step is the same even if you use a different tool to do it, so if you run into trouble with one, keep checking.