Grafana Generic OAuth Session Mgmt

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    Grafana Enterprise 11.6, running on Azure Kubernetes Service (AKS).

  • What are you trying to achieve?
    I want to ensure that Grafana respects OIDC session validity by stopping token rotation and expiring sessions when the upstream Keycloak session is terminated.

  • How are you trying to achieve it?
    Using Generic OIDC authentication with Keycloak. I’ve enabled refresh token rotation with the following config:

  • token_rotation_interval_minutes = 4
  • Keycloak client has:
    • Refresh token reuse disabled
    • Revoke refresh tokens enabled
    • Short token lifespans 5 min
  • Verified session termination in keycloak

  • What happened?
    Grafana successfully logs in via Keycloak. If I kill the Keycloak session (via admin UI or REST API), the Grafana session continues unaffected. Even the rotate calls succeed, they don’t seem to call Keycloak at all. There are no relevant logs or requests to Keycloak during the token rotation period. I see that the grafana_session’s browser expiry time gets incremented with each rotate.

  • What did you expect to happen?
    I expected Grafana to fail to rotate tokens (and invalidate the session) once the Keycloak session was removed. I also expected token rotation to involve calling Keycloak’s /token endpoint, which doesn’t appear to happen even after auth token expiry.

  • Can you copy/paste the configuration(s) that you are having problems with?

[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = grafana
client_secret = ...
scopes = openid profile email 
auth_url = https://....example.com/realms/myrealm/protocol/openid-connect/auth
token_url = https://....example.com/realms/myrealm/protocol/openid-connect/token
api_url = https://....example.com/realms/myrealm/protocol/openid-connect/userinfo
role_attribute_path = contains(groups[*], 'grafana-admin') && 'Admin' || 'Viewer'
use_refresh_token = true
token_rotation_interval_minutes = 4

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    No errors. Even after the Keycloak session is terminated, Grafana continues to function normally. In debug mode, I see no logs related to token refresh hitting Keycloak when expected.

  • Did you follow any online instructions? If so, what is the URL?
    Yes, followed:
    https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
    Also cross-checked with Keycloak docs on session and token revocation behavior.

Thank You
2

How it is terminated?

3

Thank You for helping me again Jan.

I remove the session explicitly from Keycloak Admin console

4

That’s wrong expectations, because:

I think you need to play with short token/JWT expirations, not SLO logout.