Grafana compliance with keycloak cert openid endpoint


We have a Docker Swarm stack running a bunch of microservices and a keycloak and we would like to test a grafana integration with Keycloak using Oauth2/OpenID.

Keycloak has a several useful endpoints to integrate openId authentication and these can be set in grafana.ini as follow using generic oauth config in grafana.ini:

enabled = true
client_id = grafana
client_secret = password123
auth_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/auth
token_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/token
api_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/userinfo

Unfortunately, I cannot find any variable in grafana’s config to get the certificate endpoint.
This endpoint is used to retrieve keycloak’s public key for JWT token validation. See doc

I was expecting something like this:

cert_url = http://keycloak:8080/auth/realms/realm-a/protocol/openid-connect/certs

How can grafana validate JWT token without that certificate?

Best regards,


Grafana doesn’t send JWT token to the user browser, so user can’t tamper token => token verification is not required.