JWT Authentication issue in Grafana

I have followed the below documentation and configured the JWT setting as follows.
Link: https://grafana.com/docs/grafana/latest/auth/jwt/

    enabled = true
    header_name = X-JWT-Assertion
    email_claim = unique_name
    username_claim = nameid  
    org_claim = organization
    name_claim = given_name
    jwk_set_file = /var/lib/grafana/jwks.json
    cache_ttl = 60m
    expect_claims = {"iss": "https://<application.abc.com>/oauth2/token"}
    auto_sign_up = true

I have a generated a new JWT token from our application and did the following GET call to authenticate the user. But I am getting “Invalid JWT” error message as response.

curl -H "X-JWT-Assertion: "JWT token" https://<grafana.abc.com>/api/user

I have validated and verified the signature of the JWT token in jwt.io portal with jwks.json public key. Signature is Verified.

Error Message in Grafana Logs:

t=2022-02-21T13:43:55+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-21T13:43:55+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr= time_ms=1 size=31 referer=

Expected Output:
With Valid JWT token we are able to authenticate using JWKS.json file and fetch details if user already exists in Grafana. Create a user if not existed in Grafana database.

You didn’t show what is decoded payload of used token.

Please find the below screenshot for the decoded payload data.

Your email_claim = unique_name is an array of strings, actually. I would say it should be a string, not an array.

I have tried this email_claim = nameid configuration, but still I am getting the same error “Invalid JWT”. Here nameid value is string.

"nameid": "javeed@mail.onblick.us"

So it is one error from many probably. I don’t know. Use standard approach - increase log level to debug, find condition which causing this particular error in the source code, search for similar errors in the GitHub/Community/Stackoverlow, …
Obvious problem is also organization claim, which is also array - that’s also unusual.

I have removed the organization claim field and updated log level to debug. But still we are getting the same error. “Invalid JWT”.

Updated configuration:

    enabled = true
    header_name = X-JWT-Assertion
    email_claim = nameid
    username_claim = given_name
    jwk_set_file = /var/lib/grafana/jwks.json
    cache_ttl = 60m
    expect_claims = {"iss": "https://<Applicationidentity-serverDomain>/oauth2/token"}
    auto_sign_up = true

Log Message:

t=2022-02-23T07:39:46+0000 lvl=dbug msg="Parsing JSON Web Token" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Trying to verify JSON Web Token using a key" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Validating JSON Web Token claims" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Failed to find user using JWT claims" logger=context email_claim=javeed@mail.onblick.us username_claim=Javeed
t=2022-02-23T07:39:46+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-23T07:39:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr= time_ms=1 size=31 referer=
t=2022-02-23T07:39:52+0000 lvl=dbug msg="recording state cache metrics" logger=ngalert now=2022-02-23T07:39:52+0000
t=2022-02-23T07:39:52+0000 lvl=dbug msg="alert rules fetched" logger=ngalert count=0 disabled_orgs=[]

Why you can’t find that condition? Simple:

# go to folder with the grafana source code for your version
# grep -rin 'Invalid JWT' *
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
# grep -rin 'InvalidJWT' *
pkg/middleware/middleware_jwt_auth_test.go:166:         assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:182:         assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:195:         assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
pkg/services/contexthandler/auth_jwt.go:27:             ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:37:             ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:60:             ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:87:                     ctx.JsonApiErr(401, InvalidJWT, err)

So pkg/services/contexthandler/auth_jwt.go is a file, which you need to understand:

        if err := bus.Dispatch(ctx.Req.Context(), &query); err != nil {
                if errors.Is(err, models.ErrUserNotFound) {
                                "Failed to find user using JWT claims",
                                "email_claim", query.Email,
                                "username_claim", query.Login,
                        err = login.ErrInvalidCredentials
                        ctx.JsonApiErr(401, UserNotFound, err)
                } else {
                        ctx.Logger.Error("Failed to get signed in user", "error", err)
                        ctx.JsonApiErr(401, InvalidJWT, err)
                return true

So ErrUserNotFound is a problem - go to DB and check if email_claim=javeed@mail.onblick.us username_claim=Javeed was created - please don’t ask me which table - try to find it on your own. When you shown your own activity and investigation, then people will more likely help you (me included).

@krishnak1 did you ever find out what the issue was here? I am facing the same issue.

I looked in the database as @jangaraj had asked and did not find any table with column email_claim or username_claim.

I ended up figuring out my particular issue - I had Grafana v 8.3.6 installed but this auto_sign_up feature was only available after Grafana v8.4.0 - so make sure you have the right version installed!