We have a Docker Swarm stack running a bunch of microservices and a keycloak and we would like to test a grafana integration with Keycloak using Oauth2/OpenID.
Keycloak has a several useful endpoints to integrate openId authentication and these can be set in grafana.ini as follow using generic oauth config in grafana.ini:
[auth.generic_oauth] enabled = true client_id = grafana client_secret = password123 ... auth_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/auth token_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/token api_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/userinfo
Unfortunately, I cannot find any variable in grafana’s config to get the certificate endpoint.
This endpoint is used to retrieve keycloak’s public key for JWT token validation. See doc
I was expecting something like this:
cert_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/certs
How can grafana validate JWT token without that certificate?