JWT Authentication details

I’m trying to set up JWT Authentication according to the documentation, and am confused about how it’s supposed to work. Currently I have an html page issuing a GET request via javascript to /login with a JWT header. I can tell that it is validating the JWT because if I give it an expired JWT, it responds with a 401 and a message about it being an invalid JWT, whereas a valid JWT returns html. But there is no session established even with a valid JWT.

So my confusion is how this functionality is intended to be used. Is the idea to establish a session to grafana as though someone logged in normally? And if so, what url should you hit with the JWT header to authenticate the user? /login? that doesn’t seem to work to establish a session. An end-to-end example would be extremely helpful.

The idea is to have proxy for authentication/authorization in front of Grafana, which provides details about user/user role via JWT token. It is similar to Grafana auth proxy, but that concept works with header values and not with JWT.

Thank you! Was there any talk of ever allowing the JWT to be passed as a cookie as well as a header? This would remove the need to have a proxy.

That sounds like OIDC = Grafana OAuth auth. That is already implemented.

To an extent, though suppose you want to embed a grafana dashboard panel in a different application (which grafana supports with an iframe). How do you initiate OIDC with grafana when it’s time to render the iframe? First off, most OIDC providers don’t allow authentication to happen in an iframe. Secondly, I don’t see a way to force authentication to immediately redirect to the OAuth provider without landing on the generic login page. Third, this would likely lead to an awkward user experience as the user might be clicking around the application, land on the page with grafana iframe, and suddenly be forced to re-authenticate. Having grafana accept a JWT as a cookie would get around these issues without the need for a proxy layer. Is there a way around these issues using OIDC that I’m missing?

Oooooh, we are finally in the most beloved feature of all users who want to iframe their Grafana in their (usually SPA) apps with authetication.

As usuall, doc is your friend (or defaults.ini, which has comments). Let me save your time:

# Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured.
oauth_auto_login = false

You are absolutely right, that the most OIDC providers don’t allow authentication in the iframe. But you don’t need authentication (=login form). User has already SSO session initialized by Grafana auth, when iframe is renderer - so IDP issues token without authentication, based on existing SSO session - that is the main feature of the SSO protocol.

So you will be winner of seamless user auth experience + other related problems, which you probably don’t see now (life time of Grafana session <= as SSO lifetime, picky=more secure browsers may not send a cookie for SSO session, …).

1 Like

That all makes sense. Thanks!