How to enable JWT Authentication for Grafana v8.5.22

Grafana Authentication
1
  • What Grafana version and what operating system are you using?
    Grafana v8.5.22 setup on Linux
  • What are you trying to achieve?
    Trying to enable JWT Authentication for accessing existing dashboards but configuration is not working
  • How are you trying to achieve it?
  1. Generated Public and Private keys at /etc/grafana directory with below commands

openssl genpkey -algorithm RSA -out private.key
openssl rsa -pubout -in private.key -out public.key

  1. Given required access to these 2 files with below commands following same ownership (root:grafana) as like other files in same directory /etc/grafana

chown root:grafana *.key
chmod 777 *.key
(Note: 777 only for temporary, I will change it later to 755)

  1. configured below details in /etc/grafana/grafana.ini

[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
email_claim = sub
username_claim = sub
key_file = /etc/grafana/private.key
auto_sign_up = true
url_login = true
skip_org_role_sync = true

  1. restarted grafana with below command
    sudo service grafana-server restart

  2. generated JWT token with below python3 script

a) Install pyjwt module
pip install pyjwt

b) Python script to generate token as below ‘script.py’

import jwt
private_key = open(‘private.key’).read()
token = jwt.encode({‘exp’: 1681880400, ‘sub’: ‘existinguser@email.com’}, private_key, algorithm=‘RS256’)
print(token)

  1. Then used the jwt token with below URL for accessing existing dashboard (validated using incognito window)

http://grafana.staged-by-discourse.com/d/TPQDREZ/simple-streaming-example?orgId=1&kiosk&jwt=<JWT_Token>

  1. But it is redirecting me to login page with error status code 302 in logs at /var/log/grafana/grafana.log
    (Note: I have already enabled debug level and then collected logs)

logger=context traceID=000000000000000000000000000 userId=0 orgId=0 uname= t=2023-04-22T18:14:00.66-0500 lvl=info msg=“Request Completed” method=GET path=/d/TPQDREZ/simple-streaming-example status=302 remote_addr=127.0.0.1 time_ms=0 duration=164.93”s size=29 referer= traceID=000000000000000000000000000

  • What happened?
    Getting error status code 302 in debug logs at /var/log/grafana and URL getting redirected to login page.

  • What did you expect to happen?
    I’m expecting that grafana shows me a kiosk view page of dashboard when trying to use jwt token in URL

  • Can you copy/paste the configuration(s) that you are having problems with?

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

  • Did you follow any online instructions? If so, what is the URL?
    I followed grafana documentation for setup which is not working for JWT Authentication.

2

I have grafana 10.1.2

In my grafana.ini is:
auto_sign_up = false
enable_login_token = true
and in the URL is .xxx.xxx:3000/?auth_token= and not &jwt=

I create my tokens with:

To do this, I read out the grafana.keys with an editor.
e.g. sudo nano /etc/grafana/grafana.key (raspberry pi)

Tip:
“iat” for the token can be created here:

:wink:

auth.jwt
allow_assign_grafana_admin = true
auto_sign_up=false
cache_ttl=60m
email_claim=sub
enable_login_token=true
enabled=true
expect_claims={}
header_name=X-JWT assertion
jwk_set_file=
jwk_set_url=
key_file=/etc/grafana/grafana.key.pub
role_attribute_path=
role_attribute_strict=false
skip_org_role_sync=false
url_login=true
username_claim=sub

image
image960×953 115 KB

1 Like
3

What I forgot:
I created my grafana keys (raspberry pi) like this:

cd /etc/grafana/
sudo ssh-keygen -t rsa -b 4096 -m PEM -f grafana.key -N “”
sudo openssl rsa -in grafana.key -pubout -outform PEM -out grafana.key.pub

sudo systemctl restart grafana server

and

sudo nano /etc/grafana/grafana.key
sudo nano /etc/grafana/grafana.key.pub

:slight_smile: