I have followed the below documentation and configured the JWT setting as follows.
Link: https://grafana.com/docs/grafana/latest/auth/jwt/
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
email_claim = unique_name
username_claim = nameid
org_claim = organization
name_claim = given_name
jwk_set_file = /var/lib/grafana/jwks.json
cache_ttl = 60m
expect_claims = {"iss": "https://<application.abc.com>/oauth2/token"}
auto_sign_up = true
I have a generated a new JWT token from our application and did the following GET call to authenticate the user. But I am getting “Invalid JWT” error message as response.
curl -H "X-JWT-Assertion: "JWT token" https://<grafana.abc.com>/api/user
I have validated and verified the signature of the JWT token in jwt.io portal with jwks.json public key. Signature is Verified.
Error Message in Grafana Logs:
t=2022-02-21T13:43:55+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-21T13:43:55+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr=49.205.10.66 time_ms=1 size=31 referer=
Expected Output:
With Valid JWT token we are able to authenticate using JWKS.json file and fetch details if user already exists in Grafana. Create a user if not existed in Grafana database.
You didn’t show what is decoded payload of used token.
Please find the below screenshot for the decoded payload data.
Your email_claim = unique_name is an array of strings, actually. I would say it should be a string, not an array.
I have tried this email_claim = nameid configuration, but still I am getting the same error “Invalid JWT”. Here nameid value is string.
"nameid": "javeed@mail.onblick.us"
So it is one error from many probably. I don’t know. Use standard approach - increase log level to debug, find condition which causing this particular error in the source code, search for similar errors in the GitHub/Community/Stackoverlow, …
Obvious problem is also organization claim, which is also array - that’s also unusual.
I have removed the organization claim field and updated log level to debug. But still we are getting the same error. “Invalid JWT”.
Updated configuration:
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
email_claim = nameid
username_claim = given_name
jwk_set_file = /var/lib/grafana/jwks.json
cache_ttl = 60m
expect_claims = {"iss": "https://<Applicationidentity-serverDomain>/oauth2/token"}
auto_sign_up = true
Log Message:
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Parsing JSON Web Token" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Trying to verify JSON Web Token using a key" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Validating JSON Web Token claims" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Failed to find user using JWT claims" logger=context email_claim=javeed@mail.onblick.us username_claim=Javeed
t=2022-02-23T07:39:46+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-23T07:39:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr=61.1.129.178 time_ms=1 size=31 referer=
t=2022-02-23T07:39:52+0000 lvl=dbug msg="recording state cache metrics" logger=ngalert now=2022-02-23T07:39:52+0000
t=2022-02-23T07:39:52+0000 lvl=dbug msg="alert rules fetched" logger=ngalert count=0 disabled_orgs=[]
Why you can’t find that condition? Simple:
# go to folder with the grafana source code for your version
# grep -rin 'Invalid JWT' *
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
# grep -rin 'InvalidJWT' *
pkg/middleware/middleware_jwt_auth_test.go:166: assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:182: assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:195: assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
pkg/services/contexthandler/auth_jwt.go:27: ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:37: ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:60: ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:87: ctx.JsonApiErr(401, InvalidJWT, err)
So pkg/services/contexthandler/auth_jwt.go is a file, which you need to understand:
if err := bus.Dispatch(ctx.Req.Context(), &query); err != nil {
if errors.Is(err, models.ErrUserNotFound) {
ctx.Logger.Debug(
"Failed to find user using JWT claims",
"email_claim", query.Email,
"username_claim", query.Login,
)
err = login.ErrInvalidCredentials
ctx.JsonApiErr(401, UserNotFound, err)
} else {
ctx.Logger.Error("Failed to get signed in user", "error", err)
ctx.JsonApiErr(401, InvalidJWT, err)
}
return true
}
So ErrUserNotFound is a problem - go to DB and check if email_claim=javeed@mail.onblick.us username_claim=Javeed was created - please don’t ask me which table - try to find it on your own. When you shown your own activity and investigation, then people will more likely help you (me included).
@krishnak1 did you ever find out what the issue was here? I am facing the same issue.
I looked in the database as @jangaraj had asked and did not find any table with column email_claim or username_claim.
I ended up figuring out my particular issue - I had Grafana v 8.3.6 installed but this auto_sign_up feature was only available after Grafana v8.4.0 - so make sure you have the right version installed!
