Getting "no refresh token available" even when the token is provided by the IDP

cossth · December 13, 2023, 11:41am

What Grafana version and what operating system are you using?
Grafana version: 10.2
OS: Kubernetes on Ubuntu
What are you trying to achieve?
When a user logs out then user should logout without confirmation using RP initiated logout PR #70357.
How are you trying to achieve it?
I do a login using generic OAuth and then I try to logout after around 5 minutes.
What happened?
Sometimes I am getting a logout confirmation even if I have passed id_token_hint.
Most of the time it is working as expected.
I think it has something to do with handling of id_token and refresh_token.
What did you expect to happen?
The logout should happen without confirmation every time if id_token_hint is provided.
What I have tried?
As per my understanding in keycloak logs below line is getting hit, Which means the id_token used for login and the id_token_hint provided are different.

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L287


      
          LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class)
                  .setAuthenticationSession(logoutSession);
          
          UserSessionModel userSession = null;
          
          // Check if we have session in the browser. If yes and it is different session than referenced by id_token_hint, the confirmation should be displayed
          AuthenticationManager.AuthResult authResult = AuthenticationManager.authenticateIdentityCookie(session, realm, false);
          if (authResult != null) {
              userSession = authResult.getSession();
              if (idToken != null && idToken.getSessionState() != null && !idToken.getSessionState().equals(authResult.getSession().getId())) {
                  forcedConfirmation = true;
              }
          } else {
              // Skip confirmation in case that valid redirect URI was setup for given client_id and there is no session in the browser as well as no id_token_hint.
              // We can do automatic redirect as there is no logout needed at all for this scenario (Session was probably already logged-out before)
              if (encodedIdToken == null && client != null && validatedRedirectUri != null) {
                  confirmationNeeded = false;
              }
          }
          
          if (userSession == null && idToken != null && idToken.getSessionState() != null) {

Can you copy/paste the configuration(s) that you are having problems with?
I followed grafana latest guide for keycloak integration.
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

There are no logs for logout, because there aren’t any, but I found out that the refresh_token was not found even when keycloak sends token everytime when a user is authenticated.

logger=query_data t=2023-12-13T16:38:25.244161279+05:30 level=debug msg="Processing metrics query" query="unsupported value type"
logger=oauthtoken t=2023-12-13T16:38:25.282925348+05:30 level=debug msg="no refresh token available" authmodule=oauth_generic_oauth userid=180
logger=ngalert.scheduler t=2023-12-13T16:38:30.087681296+05:30 level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
logger=oauth t=2023-12-13T16:38:31.056397025+05:30 level=info msg="state check" queryState=88ba67c7050b9733298d131e340c000ea2dbfeb1c1b9e9754803388e11d1d4a5 cookieState=88ba67c7050b9733298d131e340c000ea2dbfeb1c1b9e9754803388e11d1d4a5
logger=oauth t=2023-12-13T16:38:31.222290849+05:30 level=debug msg="OAuthLogin: got token" expiry="2023-12-14 16:38:31.222180249 +0530 IST m=+95343.864952852" type=Bearer access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYQURJeFBPUTU5VWxUb21sZ1VrRi1odElsaW1rOGRVY2hRZjQyc05wUmc4In0.<redacated> refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxNDZmMTE3My1jZGYwLTQ4YzMtOGFjOC02Yzg2M2ZmNTAzNTIifQ.<redacated>
logger=oauth.generic_oauth t=2023-12-13T16:38:31.222591083+05:30 level=debug msg="Getting user info"
logger=oauth.generic_oauth t=2023-12-13T16:38:31.222607092+05:30 level=debug msg="Extracting user info from OAuth token"
--
logger=ngalert.sender.router t=2023-12-13T16:38:33.826392147+05:30 level=debug msg="Finish of admin configuration sync"
logger=oauth t=2023-12-13T16:38:39.422976076+05:30 level=info msg="state check" queryState=2dc9ee6e8f6dcc7a22242f121a91b5405b1ca3d1eca1a850063f61e96750e552 cookieState=2dc9ee6e8f6dcc7a22242f121a91b5405b1ca3d1eca1a850063f61e96750e552
logger=oauth t=2023-12-13T16:38:39.519647239+05:30 level=debug msg="OAuthLogin: got token" expiry="2023-12-14 16:38:39.519540458 +0530 IST m=+95352.162313061" type=Bearer access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYQURJeFBPUTU5VWxUb21sZ1VrRi1odElsaW1rOGRVY2hRZjQyc05wUmc4In0.<redacated> refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxNDZmMTE3My1jZGYwLTQ4YzMtOGFjOC02Yzg2M2ZmNTAzNTIifQ.<redacated>
logger=oauth.generic_oauth t=2023-12-13T16:38:39.51973212+05:30 level=debug msg="Getting user info"
logger=oauth.generic_oauth t=2023-12-13T16:38:39.519742774+05:30 level=debug msg="Extracting user info from OAuth token"
logger=query_data t=2023-12-13T16:38:41.256772436+05:30 level=debug msg="Processing metrics query" query="unsupported value type"
logger=oauthtoken t=2023-12-13T16:38:41.296327158+05:30 level=debug msg="no refresh token available" authmodule=oauth_generic_oauth userid=180
logger=accesscontrol.service t=2023-12-13T16:38:41.854010617+05:30 level=debug msg="using cached permissions" key=rbac-permissions-1-user-180
logger=query_data t=2023-12-13T16:38:41.854363458+05:30 level=debug msg="Processing metrics query" query="unsupported value type"

Did you follow any online instructions? If so, what is the URL?
This I used to integrate keycloak.

jangaraj · December 13, 2023, 2:43pm

It is not clear how did you configure Grafana logout, what kind of logout URL is generated in the browser actually, how can you pass id_token_hint.

cossth · December 14, 2023, 7:33am

My config is below

GF_AUTH_GENERIC_OAUTH_ENABLED: 'true'
GF_AUTH_GENERIC_OAUTH_NAME: 'Keycloak'
GF_AUTH_GENERIC_OAUTH_SCOPES: 'openid profile roles email offline_access'
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'true'
GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: 'true'
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: 'grafana'
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: '<redacated>'
GF_AUTH_GENERIC_OAUTH_AUTH_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/auth'
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/token'
GF_AUTH_GENERIC_OAUTH_API_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/userinfo'
GF_AUTH_SIGNOUT_REDIRECT_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/logout?post_logout_redirect_uri=https://<grafana url>/login&client_id=grafana'

jangaraj · December 14, 2023, 9:03am

Does logout url require id_token_hint? If yes, is that hint generated by Grafana?

cossth · December 14, 2023, 9:37am

Yes, The id_token_hint will be appended to the logout URL if we are have post_logout_redirect_uri set in the signout_redirect_url as mentioned in the below document.

github.com

grafana/grafana/blob/main/docs/sources/setup-grafana/configure-grafana/_index.md#signout_redirect_url

---
aliases:
  - ../administration/configuration/
  - ../installation/configuration/
description: Configuration documentation
labels:
  products:
    - enterprise
    - oss
title: Configure Grafana
weight: 200
---

# Configure Grafana

Grafana has default and custom configuration files. You can customize your Grafana instance by modifying the custom configuration file or by using environment variables. To see the list of settings for a Grafana instance, refer to [View server settings]({{< relref "../../administration/stats-and-license#view-server-settings" >}}).

{{% admonition type="note" %}}
After you add custom options, [uncomment](#remove-comments-in-the-ini-files) the relevant sections of the configuration file. Restart Grafana for your changes to take effect.
{{% /admonition %}}

This file has been truncated. show original