Grafana / Keycloak with Keycloak gatekeeper on K8S - cannot make it working

Grafana Authentication
1

Hi

I am trying to use keycloak in front of grafana based on groups, but I am surely configuring it badly.

bash-5.0$ cat grafana.ini 
...
[auth]
disable_login_form = false
disable_signout_menu = false
[auth.anonymous]
enabled = true
org_name = Main Org.
org_role = Viewer
[auth.generic_oauth]
allow_sign_up = true
api_url = http://keycloak.home.lab/auth/realms/master/protocol/openid-connect/userinfo
auth_url = http://keycloak.home.lab/auth/realms/master/protocol/openid-connect/auth   
client_id = grafana_client
client_secret = dba1f...2e67b3f
enabled = true
name = Oauth
role_attribute_path = contains(groups[*], 'ADMIN') && 'Admin' || contains(groups[*], 'EDITOR') && 'Editor' || 'Viewer'
scopes = openid profile email groups
token_url = http://keycloak.home.lab/auth/realms/master/protocol/openid-connect/token
...
[server]
root_url = https://grafana.home.lab
[users]
allow_org_create = true
allow_sign_up = true
auto_assign_org = true
auto_assign_org_role = Admin
default_theme = dark
login_hint = email or username
verify_email_enabled = false

Gatekeeper config:

client-id: grafana_client
client-secret: dba1f05xxxcd2e67b3f
discovery-url: https://keycloak.home.lab/auth/realms/master
skip-upstream-tls-verify: true
skip-openid-provider-tls-verify: true
encryption-key: xxx
listen: 0.0.0.0:4181
secure-cookie: false
enable-logging: true
enable-json-logging: true
enable-default-deny: true
enable-refresh-tokens: true
enable-session-cookies: true
debug: true
ingress.enabled: true
resources:
  - uri: /favicon
    white-listed: true

Keycloak configuration:

grafana-issue
grafana-issue1046×319 16.8 KB

Trying to access grafana, I am redirected to keycloak authentication, and then get a 403 not authorized with this log in the gatekeeper:

2020-07-09T07:47:26.340944547Z {"level":"error","ts":1594280846.3407192,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
2020-07-09T07:47:26.340996941Z {"level":"info","ts":1594280846.3409455,"msg":"client request","latency":0.000231746,"status":307,"bytes":95,"client_ip":"172.18.134.7:44418","method":"GET","path":"/metrics"}
2020-07-09T07:47:26.342194683Z {"level":"info","ts":1594280846.3420002,"msg":"client request","latency":0.000195545,"status":307,"bytes":302,"client_ip":"172.18.134.7:44418","method":"GET","path":"/oauth/authorize"}
2020-07-09T07:47:34.386052353Z {"level":"error","ts":1594280854.3854544,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
2020-07-09T07:47:34.387370276Z {"level":"info","ts":1594280854.3859878,"msg":"client request","latency":0.000632036,"status":307,"bytes":95,"client_ip":"10.0.2.15:59012","method":"GET","path":"/"}
2020-07-09T07:47:34.391639527Z {"level":"info","ts":1594280854.3906834,"msg":"client request","latency":0.00004895,"status":307,"bytes":302,"client_ip":"10.0.2.15:59012","method":"GET","path":"/oauth/authorize"}
2020-07-09T07:47:39.216971957Z {"level":"error","ts":1594280859.216297,"msg":"unable to exchange code for access token","error":"unknown_error"}

Any help is welcome … I wonder if in Keycloack the redirect_url should not be grafana but the gatekeeper.

2

OK, made some progress, by simply removing the keycloak gateway. Now trying to ignore SSL verification when grafana try to redirect to keycloak.

3

ok, got it working :-).

4

sent an invalid response.

ERR_SSL_PROTOCOL_ERROR
getting the above error while login using keycloak in grafana