Getting "no refresh token available" even when the token is provided by the IDP

  • What Grafana version and what operating system are you using?
    Grafana version: 10.2
    OS: Kubernetes on Ubuntu

  • What are you trying to achieve?
    When a user logs out then user should logout without confirmation using RP initiated logout PR #70357.

  • How are you trying to achieve it?
    I do a login using generic OAuth and then I try to logout after around 5 minutes.

  • What happened?
    Sometimes I am getting a logout confirmation even if I have passed id_token_hint.
    Most of the time it is working as expected.
    I think it has something to do with handling of id_token and refresh_token.

  • What did you expect to happen?
    The logout should happen without confirmation every time if id_token_hint is provided.

  • What I have tried?
    As per my understanding in keycloak logs below line is getting hit, Which means the id_token used for login and the id_token_hint provided are different.

  • Can you copy/paste the configuration(s) that you are having problems with?
    I followed grafana latest guide for keycloak integration.

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

There are no logs for logout, because there aren’t any, but I found out that the refresh_token was not found even when keycloak sends token everytime when a user is authenticated.

logger=query_data t=2023-12-13T16:38:25.244161279+05:30 level=debug msg="Processing metrics query" query="unsupported value type"
logger=oauthtoken t=2023-12-13T16:38:25.282925348+05:30 level=debug msg="no refresh token available" authmodule=oauth_generic_oauth userid=180
logger=ngalert.scheduler t=2023-12-13T16:38:30.087681296+05:30 level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
logger=oauth t=2023-12-13T16:38:31.056397025+05:30 level=info msg="state check" queryState=88ba67c7050b9733298d131e340c000ea2dbfeb1c1b9e9754803388e11d1d4a5 cookieState=88ba67c7050b9733298d131e340c000ea2dbfeb1c1b9e9754803388e11d1d4a5
logger=oauth t=2023-12-13T16:38:31.222290849+05:30 level=debug msg="OAuthLogin: got token" expiry="2023-12-14 16:38:31.222180249 +0530 IST m=+95343.864952852" type=Bearer access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYQURJeFBPUTU5VWxUb21sZ1VrRi1odElsaW1rOGRVY2hRZjQyc05wUmc4In0.<redacated> refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxNDZmMTE3My1jZGYwLTQ4YzMtOGFjOC02Yzg2M2ZmNTAzNTIifQ.<redacated>
logger=oauth.generic_oauth t=2023-12-13T16:38:31.222591083+05:30 level=debug msg="Getting user info"
logger=oauth.generic_oauth t=2023-12-13T16:38:31.222607092+05:30 level=debug msg="Extracting user info from OAuth token"
--
logger=ngalert.sender.router t=2023-12-13T16:38:33.826392147+05:30 level=debug msg="Finish of admin configuration sync"
logger=oauth t=2023-12-13T16:38:39.422976076+05:30 level=info msg="state check" queryState=2dc9ee6e8f6dcc7a22242f121a91b5405b1ca3d1eca1a850063f61e96750e552 cookieState=2dc9ee6e8f6dcc7a22242f121a91b5405b1ca3d1eca1a850063f61e96750e552
logger=oauth t=2023-12-13T16:38:39.519647239+05:30 level=debug msg="OAuthLogin: got token" expiry="2023-12-14 16:38:39.519540458 +0530 IST m=+95352.162313061" type=Bearer access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYQURJeFBPUTU5VWxUb21sZ1VrRi1odElsaW1rOGRVY2hRZjQyc05wUmc4In0.<redacated> refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxNDZmMTE3My1jZGYwLTQ4YzMtOGFjOC02Yzg2M2ZmNTAzNTIifQ.<redacated>
logger=oauth.generic_oauth t=2023-12-13T16:38:39.51973212+05:30 level=debug msg="Getting user info"
logger=oauth.generic_oauth t=2023-12-13T16:38:39.519742774+05:30 level=debug msg="Extracting user info from OAuth token"
logger=query_data t=2023-12-13T16:38:41.256772436+05:30 level=debug msg="Processing metrics query" query="unsupported value type"
logger=oauthtoken t=2023-12-13T16:38:41.296327158+05:30 level=debug msg="no refresh token available" authmodule=oauth_generic_oauth userid=180
logger=accesscontrol.service t=2023-12-13T16:38:41.854010617+05:30 level=debug msg="using cached permissions" key=rbac-permissions-1-user-180
logger=query_data t=2023-12-13T16:38:41.854363458+05:30 level=debug msg="Processing metrics query" query="unsupported value type"
  • Did you follow any online instructions? If so, what is the URL?
    This I used to integrate keycloak.

It is not clear how did you configure Grafana logout, what kind of logout URL is generated in the browser actually, how can you pass id_token_hint.

My config is below

GF_AUTH_GENERIC_OAUTH_ENABLED: 'true'
GF_AUTH_GENERIC_OAUTH_NAME: 'Keycloak'
GF_AUTH_GENERIC_OAUTH_SCOPES: 'openid profile roles email offline_access'
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'true'
GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: 'true'
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: 'grafana'
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: '<redacated>'
GF_AUTH_GENERIC_OAUTH_AUTH_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/auth'
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/token'
GF_AUTH_GENERIC_OAUTH_API_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/userinfo'
GF_AUTH_SIGNOUT_REDIRECT_URL: 'https://<keycloak>/realms/cossth/protocol/openid-connect/logout?post_logout_redirect_uri=https://<grafana url>/login&client_id=grafana'

Does logout url require id_token_hint? If yes, is that hint generated by Grafana?

Yes, The id_token_hint will be appended to the logout URL if we are have post_logout_redirect_uri set in the signout_redirect_url as mentioned in the below document.