How to use keycloak token for Grafana API Authentication

sagarbhathwar · July 10, 2020, 5:27am

Is there a way to authenticate grafana API without using API key and with basic auth disabled, but using keycloak token?

I have disabled basic auth and configured grafana to use keycloak SSO, with auto login set to true. I also need to embed grafana in my web application, where I need to fetch the list of dashboards with GET /api/search and display the selected dashboard.

I’ve also set the serve_from_subpath flag to true and configured nginx reverse proxy to serve grafana from a subpath of my web application’s root url.

The API only works if I first login to grafana and then launch my web application, since the grafana_session cookie is created by logging into grafana first and eventually my web application can use this cookie for authentication. But if the web application is launched first, the API calls fail with a 401 unauthorized. The API does not work with the keycloak token obtained by logging into my web application, but opening grafana does not redirect me to oauth login but instead uses the session created by my web application(since both use the same client_id).

Here is my configuration:

- name: "GF_SECURITY_ALLOW_EMBEDDING"
  value: "true"
- name: "GF_AUTH_BASIC_ENABLED"
  value: "false"
- name: "GF_AUTH_DISABLE_LOGIN_FORM"
  value: "true"
- name: "GF_AUTH_ANONYMOUS_ENABLED"
  value: "false"
- name: "GF_AUTH_GENERIC_OAUTH_ENABLED"
  value: "true"
- name: "GF_AUTH_OAUTH_AUTO_LOGIN"
  value: "true"
- name: "GF_AUTH_GENERIC_OAUTH_CLIENT_ID"
  value: "grafana"
- name: "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"
  value: "XXXXX"
- name: "GF_AUTH_GENERIC_OAUTH_AUTH_URL"
  value: "http://keycloak.example.com/auth"
- name: "GF_AUTH_GENERIC_OAUTH_TOKEN_URL"
  value: "http://keycloak.example.com/token"
- name: "GF_AUTH_GENERIC_OAUTH_API_URL"
  value: "http://keycloak.example.com/userinfo"
- name: "GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE"
  value: "true"
- name: "GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS"
  value: "example.com"
- name: "GF_SERVER_DOMAIN"
  value: "example.com"
- name: "GF_SERVER_SERVE_FROM_SUB_PATH"
  value: "true"
- name: "GF_SERVER_ROOT_URL"
  value: "http://example.com/grafana"
- name: "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH"
  value: "contains(roles[], 'Admin') && 'Admin' || contains(roles[], 'Editor') && 'Editor' || 'Viewer'"
- name: "GF_AUTH_GENERIC_OAUTH_SCOPES"
  value: "openid email profile"
- name: "GF_AUTH_SIGNOUT_REDIRECT_URL"
  value: "http://keycloak.example.com/logout?redirect_uri=http://example.com/grafana"
- name: "GF_SECURITY_COOKIE_SAMESITE"
  value: "none"

danistrigaro · October 2, 2020, 9:15am

Do you have news on it?

jant02 · May 28, 2023, 1:23pm

Is it nowadays possible to use a keycloak access token just like a grafana API token as a Bearer token to authenticate an API request?

(Authenticate grafana API request with keycloak access token)

salvatoredibenedetto · November 22, 2023, 5:30pm

How is it possible to get the keycloak bearer token after the login? @jant02 @sagarbhathwar