Grafana / Keycloak with Keycloak gatekeeper on K8S - cannot make it working

Hi

I am trying to use keycloak in front of grafana based on groups, but I am surely configuring it badly.

bash-5.0$ cat grafana.ini 
...
[auth]
disable_login_form = false
disable_signout_menu = false
[auth.anonymous]
enabled = true
org_name = Main Org.
org_role = Viewer
[auth.generic_oauth]
allow_sign_up = true
api_url = http://keycloak.home.lab/auth/realms/master/protocol/openid-connect/userinfo
auth_url = http://keycloak.home.lab/auth/realms/master/protocol/openid-connect/auth   
client_id = grafana_client
client_secret = dba1f...2e67b3f
enabled = true
name = Oauth
role_attribute_path = contains(groups[*], 'ADMIN') && 'Admin' || contains(groups[*], 'EDITOR') && 'Editor' || 'Viewer'
scopes = openid profile email groups
token_url = http://keycloak.home.lab/auth/realms/master/protocol/openid-connect/token
...
[server]
root_url = https://grafana.home.lab
[users]
allow_org_create = true
allow_sign_up = true
auto_assign_org = true
auto_assign_org_role = Admin
default_theme = dark
login_hint = email or username
verify_email_enabled = false

Gatekeeper config:

client-id: grafana_client
client-secret: dba1f05xxxcd2e67b3f
discovery-url: https://keycloak.home.lab/auth/realms/master
skip-upstream-tls-verify: true
skip-openid-provider-tls-verify: true
encryption-key: xxx
listen: 0.0.0.0:4181
secure-cookie: false
enable-logging: true
enable-json-logging: true
enable-default-deny: true
enable-refresh-tokens: true
enable-session-cookies: true
debug: true
ingress.enabled: true
resources:
  - uri: /favicon
    white-listed: true

Keycloak configuration:

Trying to access grafana, I am redirected to keycloak authentication, and then get a 403 not authorized with this log in the gatekeeper:

2020-07-09T07:47:26.340944547Z {"level":"error","ts":1594280846.3407192,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
2020-07-09T07:47:26.340996941Z {"level":"info","ts":1594280846.3409455,"msg":"client request","latency":0.000231746,"status":307,"bytes":95,"client_ip":"172.18.134.7:44418","method":"GET","path":"/metrics"}
2020-07-09T07:47:26.342194683Z {"level":"info","ts":1594280846.3420002,"msg":"client request","latency":0.000195545,"status":307,"bytes":302,"client_ip":"172.18.134.7:44418","method":"GET","path":"/oauth/authorize"}
2020-07-09T07:47:34.386052353Z {"level":"error","ts":1594280854.3854544,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
2020-07-09T07:47:34.387370276Z {"level":"info","ts":1594280854.3859878,"msg":"client request","latency":0.000632036,"status":307,"bytes":95,"client_ip":"10.0.2.15:59012","method":"GET","path":"/"}
2020-07-09T07:47:34.391639527Z {"level":"info","ts":1594280854.3906834,"msg":"client request","latency":0.00004895,"status":307,"bytes":302,"client_ip":"10.0.2.15:59012","method":"GET","path":"/oauth/authorize"}
2020-07-09T07:47:39.216971957Z {"level":"error","ts":1594280859.216297,"msg":"unable to exchange code for access token","error":"unknown_error"}

Any help is welcome … I wonder if in Keycloack the redirect_url should not be grafana but the gatekeeper.

OK, made some progress, by simply removing the keycloak gateway. Now trying to ignore SSL verification when grafana try to redirect to keycloak.

ok, got it working :-).