I want to enable JWT token in grafana ,so that i don't want to give send username and password to client..When i am trying this it is showing failed to start

stutishovanamohanty · August 11, 2023, 10:49am

when i am enabling in grafana.ini services it is coming in log file
please assist anyone

logger=context t=2023-08-11T15:52:58.01320217+05:30 level=warn msg=“invalid API key” error=“invalid API key” traceID=
logger=context userId=0 orgId=0 uname= t=2023-08-11T15:52:58.013467352+05:30 level=info msg=“Request Completed” method=POST path=/api/auth/keys status=401 remote_addr=[::1] time_ms=0 duration=321.754µs size=43 referer=
logger=context userId=1 orgId=1 uname=admin t=2023-08-11T15:54:28.222579996+05:30 level=info msg=“Request Completed” method=GET path=/api/live/ws status=-1 remote_addr=127.0.0.1 time_ms=10 duration=10.934407ms size=0 referer= handler=/api/live/ws
logger=context userId=1 orgId=1 uname=admin t=2023-08-11T15:55:16.872764342+05:30 level=info msg=“Request Completed” method=GET path=/api/live/ws status=-1 remote_addr=127.0.0.1 time_ms=4 duration=4.924194ms size=0 referer= handler=/api/live/ws
logger=cleanup t=2023-08-11T16:01:52.472277698+05:30 level=info msg=“Completed cleanup jobs” duration=13.981014ms
logger=grafana.update.checker t=2023-08-11T16:01:52.780481126+05:30 level=info msg=“Update check succeeded” duration=89.933004ms
logger=plugins.update.checker t=2023-08-11T16:01:53.583038533+05:30 level=info msg=“Update check succeeded” duration=651.307308ms
logger=cleanup t=2023-08-11T16:11:52.471210333+05:30 level=info msg=“Completed cleanup jobs” duration=12.935601ms
logger=grafana.update.checker t=2023-08-11T16:11:52.718932805+05:30 level=info msg=“Update check succeeded” duration=27.580086ms
logger=plugins.update.checker t=2023-08-11T16:11:53.321159523+05:30 level=info msg=“Update check succeeded” duration=389.890484ms

mmillies · August 11, 2023, 3:01pm

Hi,

This seems to happen to me when grafana didn’t recognize my passed in JWT as a JWT. More specifically, if you happened to specify the incoming header as Authorization as opposed to some other custom header for passing your JWT and it doesn’t recognize the token as a JWT one.

One silent error that really messed with me for a while was that the JWT implementation appears to require the claim sub to exist on your token. But the message alerting you to it appears to never be reached/logged as a result of a guard in the code.

issue with sub property requirement silently failing JWT processing:

request stopped here:

github.com

grafana/grafana/blob/a9d2bbc814bf9f8e3d9a69660fce8f18c7d259b8/pkg/services/authn/authnimpl/service.go#L194


      
          	// postLoginHooks are called after a login request is performed, both for failing and successful requests.
          	postLoginHooks *queue[authn.PostLoginHookFn]
          }
          
          func (s *Service) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
          	ctx, span := s.tracer.Start(ctx, "authn.Authenticate")
          	defer span.End()
          
          	var authErr error
          	for _, item := range s.clientQueue.items {
          		if item.v.Test(ctx, r) {
          			identity, err := s.authenticate(ctx, item.v, r)
          			if err != nil {
          				// Note: special case for token rotation
          				// We don't want to fallthrough in this case
          				if errors.Is(err, authn.ErrTokenNeedsRotation) {
          					return nil, err
          				}
          
          				authErr = errors.Join(authErr, err)
          				// try next

guard existing JWT processing due to missing sub:

github.com

grafana/grafana/blob/a9d2bbc814bf9f8e3d9a69660fce8f18c7d259b8/pkg/services/authn/clients/jwt.go#L160


      
          		return false
          	}
          
          	jwtToken := s.retrieveToken(r.HTTPRequest)
          
          	if jwtToken == "" {
          		return false
          	}
          
          	// If the "sub" claim is missing or empty then pass the control to the next handler
          	if !authJWT.HasSubClaim(jwtToken) {
          		return false
          	}
          
          	return true
          }
          
          func (s *JWT) Priority() uint {
          	return 20
          }

the message I would have liked to have received to save me time and effort troubleshooting. (but the execution path never makes it here given the above code references.

/pkg/services/authn/clients/jwt.go#L64

If your token has a sub claim in it, and you’re not using the Authentication header, and you still have this issue. I’ll need more info about your grafana.ini [auth.jwt] section, I’m just tossing guesses out based on my own experience trying to integrate via the JWT plugin. Be sure to sanitize any identifying/sensitive details in the section before you post anything.

best of luck.