Grafana error login.OAuthLogin(get info from generic_oauth)

Grafana
,
1

After login with keyclock auth this error pops up

image
image1660×828 32.1 KB

 grafana.ini:
    auth.generic_oauth:
      enabled: true
      tls_skip_verify_insecure: true
      name: Keycloak-OAuth
      allow_sign_up: true
      client_id: grafana-sso
      client_secret: xxxxxxxxxxxxx
      scopes: openid email profile offline_access roles web-origins
      email_attribute_path: email
      login_attribute_path: username
      name_attribute_path: full_name
      auth_url: 'xxx://ssoxxxx.xxx.xxx/auth/realms/xxx/protocol/openid-connect/auth'
      token_url: 'xxxx://ssoxxxx.xxx.xxx/auth/realms/xxx/protocol/openid-connect/token'
      api_url: 'xxx://ssoxxxx.xxx.xxx/realms/xxx/protocol/openid-connect/userinfo'
      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
    server:
      domain: grafanaxxx.xxx.xxx
      root_url: https://grafana.xx.xxx/
    security:
      allow_embedding = true
      cookie_secure = true
      cookie_samesite = none

This is the log of grafana pod after login through keyclock

logger=cleanup t=2024-06-12T06:26:21.886238527Z level=info msg="Completed cleanup jobs" duration=5.773243ms
logger=grafana.update.checker t=2024-06-12T06:26:21.991395115Z level=info msg="Update check succeeded" duration=16.886788ms
logger=plugins.update.checker t=2024-06-12T06:26:22.065807047Z level=info msg="Update check succeeded" duration=60.296791ms

logger=context userId=0 orgId=0 uname= t=2024-06-12T06:28:09.636854184Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=xx.xxxxxx.xxx time_ms=0 duration=976.488µs size=342 referer=https://grafana.xxx.xxxxxx/login handler=/login/:name

logger=oauth t=2024-06-12T06:28:47.114656396Z level=info msg="state check" queryState=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcookieStatexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

logger=oauth.generic_oauth t=2024-06-12T06:28:47.162674783Z level=warn msg="No valid role found. Skipping role sync. In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. If role sync is not desired, set skip_org_role_sync for your provider to true"

logger=oauth.generic_oauth t=2024-06-12T06:28:47.1657884Z level=error msg="Error getting email address" url=https://sso.xxxx.xxx/realms/xxx/protocol/openid-connect/userinfo/emails error="<html><head><title>Error</title></head><body>404 - Not Found</body></html>"

logger=context userId=0 orgId=0 uname= t=2024-06-12T06:28:47.165859057Z level=error msg="login.OAuthLogin(get info from generic_oauth)" error="Error getting email address: <html><head><title>Error</title></head><body>404 - Not Found</body></html>"

logger=context userId=0 orgId=0 uname= t=2024-06-12T06:28:47.166024592Z level=error msg="Request Completed" method=GET path=/login/generic_oauth status=500 remote_addr=xxx.xxxx.xxx.xxxxtime_ms=52 duration=52.300622ms size=1372 referer= handler=/login/:name
2

That’s looks wrong. I think you missed auth in URL.

3

okay thank i will try with the auth

4

I kept the auth but still same error
# [Grafana error login.OAuthLogin(get info from generic_oauth)]

5

this is the log after putting the auth

logger=oauth t=2024-06-12T13:42:14.484380685Z level=info msg="state check" queryState=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cookieState=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

logger=oauth.generic_oauth t=2024-06-12T13:42:14.520700903Z level=warn msg="No valid role found. Skipping role sync. In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. If role sync is not desired, set skip_org_role_sync for your provider to true"
l
ogger=oauth.generic_oauth t=2024-06-12T13:42:14.523008404Z level=error msg="Error getting email address" url=https://ssoxx.xxx.xx.xx/realms/xx/protocol/openid-connect/userinfo/emails error="<html><head><title>Error</title></head><body>404 - Not Found</body></html>"
l
ogger=context userId=0 orgId=0 uname= t=2024-06-12T13:42:14.52304561Z level=error msg="login.OAuthLogin(get info from generic_oauth)" error="Error getting email address: <html><head><title>Error</title></head><body>404 - Not Found</body></html>"

logger=context userId=0 orgId=0 uname= t=2024-06-12T13:42:14.523138888Z level=error msg="Request Completed" method=GET path=/login/generic_oauth status=500 remote_addr=XXX.XXX.XXXX time_ms=39 duration=39.198048ms size=1372 referer= handler=/login/:name

logger=context t=2024-06-12T13:42:23.050168732Z level=warn msg="failed to look up session from cookie" error="user token not found"

logger=context userId=0 orgId=0 uname= t=2024-06-12T13:42:23.050529174Z level=warn msg=Unauthorized error="user token not found" remote_addr=XXX.XXX.XXXX  traceID=

logger=context userId=0 orgId=0 uname= t=2024-06-12T13:42:23.050583876Z level=info msg="Request Completed" method=GET path=/api/live/ws status=401 remote_addr=XXX.XXX.XXXX  time_ms=0 duration=699.302µs size=40 referer= handler=/api/live/ws
6

Make sure that Keycloak provides email in email claim in id/access token/userinfo.

7

thanks it worked after putting the email on the keyclock, it only had my username