Issues with Keycloak integration

I’m facing issue with Keycloak integration in Grafana:

With this grafana.ini:

instance_name = grafana

level = error

; domain = host.docker.internal
root_url = http://localhost:13000
enforce_domain = false
enable_gzip = true

admin_user = admin
admin_password = admin

name = OAuth
enabled = true
client_id = grafana
client_secret = <my client secret>
scopes = openid profile roles
; email_attribute_name = email:primary
auth_url = http://<keycloak IP>/auth/realms/mcs/protocol/openid-connect/auth
token_url = http://<keycloak IP>/auth/realms/mcs/protocol/openid-connect/token
api_url = http://<keycloak IP>/auth/realms/mcs/protocol/openid-connect/userinfo
allow_sign_up = false
disable_login_form = true
oauth_auto_login = true
tls_skip_verify_insecure = true

; Roles from Client roles in Keycloak
role_attribute_path = contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'

I can be redirected to Keycloak login page, but after login grafana has this error:

t=2021-10-15T11:48:58+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"Code not valid\"}"
t=2021-10-15T11:48:58+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr= time_ms=647 size=733 referer=

What happens? What I am missing from configuration?

This topic was automatically closed after 365 days. New replies are no longer allowed.