JWT Authentication issue in Grafana

I have followed the below documentation and configured the JWT setting as follows.
Link: https://grafana.com/docs/grafana/latest/auth/jwt/

    enabled = true
    header_name = X-JWT-Assertion
    email_claim = unique_name
    username_claim = nameid  
    org_claim = organization
    name_claim = given_name
    jwk_set_file = /var/lib/grafana/jwks.json
    cache_ttl = 60m
    expect_claims = {"iss": "https://<application.abc.com>/oauth2/token"}
    auto_sign_up = true

I have a generated a new JWT token from our application and did the following GET call to authenticate the user. But I am getting “Invalid JWT” error message as response.

curl -H "X-JWT-Assertion: "JWT token" https://<grafana.abc.com>/api/user

I have validated and verified the signature of the JWT token in jwt.io portal with jwks.json public key. Signature is Verified.

Error Message in Grafana Logs:

t=2022-02-21T13:43:55+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-21T13:43:55+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr= time_ms=1 size=31 referer=

Expected Output:
With Valid JWT token we are able to authenticate using JWKS.json file and fetch details if user already exists in Grafana. Create a user if not existed in Grafana database.

You didn’t show what is decoded payload of used token.

Please find the below screenshot for the decoded payload data.

Your email_claim = unique_name is an array of strings, actually. I would say it should be a string, not an array.

I have tried this email_claim = nameid configuration, but still I am getting the same error “Invalid JWT”. Here nameid value is string.

"nameid": "javeed@mail.onblick.us"

So it is one error from many probably. I don’t know. Use standard approach - increase log level to debug, find condition which causing this particular error in the source code, search for similar errors in the GitHub/Community/Stackoverlow, …
Obvious problem is also organization claim, which is also array - that’s also unusual.

I have removed the organization claim field and updated log level to debug. But still we are getting the same error. “Invalid JWT”.

Updated configuration:

    enabled = true
    header_name = X-JWT-Assertion
    email_claim = nameid
    username_claim = given_name
    jwk_set_file = /var/lib/grafana/jwks.json
    cache_ttl = 60m
    expect_claims = {"iss": "https://<Applicationidentity-serverDomain>/oauth2/token"}
    auto_sign_up = true

Log Message:

t=2022-02-23T07:39:46+0000 lvl=dbug msg="Parsing JSON Web Token" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Trying to verify JSON Web Token using a key" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Validating JSON Web Token claims" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Failed to find user using JWT claims" logger=context email_claim=javeed@mail.onblick.us username_claim=Javeed
t=2022-02-23T07:39:46+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-23T07:39:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr= time_ms=1 size=31 referer=
t=2022-02-23T07:39:52+0000 lvl=dbug msg="recording state cache metrics" logger=ngalert now=2022-02-23T07:39:52+0000
t=2022-02-23T07:39:52+0000 lvl=dbug msg="alert rules fetched" logger=ngalert count=0 disabled_orgs=[]

Why you can’t find that condition? Simple:

# go to folder with the grafana source code for your version
# grep -rin 'Invalid JWT' *
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
# grep -rin 'InvalidJWT' *
pkg/middleware/middleware_jwt_auth_test.go:166:         assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:182:         assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:195:         assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
pkg/services/contexthandler/auth_jwt.go:27:             ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:37:             ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:60:             ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:87:                     ctx.JsonApiErr(401, InvalidJWT, err)

So pkg/services/contexthandler/auth_jwt.go is a file, which you need to understand:

        if err := bus.Dispatch(ctx.Req.Context(), &query); err != nil {
                if errors.Is(err, models.ErrUserNotFound) {
                                "Failed to find user using JWT claims",
                                "email_claim", query.Email,
                                "username_claim", query.Login,
                        err = login.ErrInvalidCredentials
                        ctx.JsonApiErr(401, UserNotFound, err)
                } else {
                        ctx.Logger.Error("Failed to get signed in user", "error", err)
                        ctx.JsonApiErr(401, InvalidJWT, err)
                return true

So ErrUserNotFound is a problem - go to DB and check if email_claim=javeed@mail.onblick.us username_claim=Javeed was created - please don’t ask me which table - try to find it on your own. When you shown your own activity and investigation, then people will more likely help you (me included).

@krishnak1 did you ever find out what the issue was here? I am facing the same issue.

I looked in the database as @jangaraj had asked and did not find any table with column email_claim or username_claim.

I ended up figuring out my particular issue - I had Grafana v 8.3.6 installed but this auto_sign_up feature was only available after Grafana v8.4.0 - so make sure you have the right version installed!

Hi, i am having a similar issue but I am using pem file verification and disabling the login form:

    enabled = true
    header_name = X-JWT-Assertion
    key_file = /var/private.pem
    cache_ttl = 60m
    expect_claims = {"iss": "test"}
    auto_sign_up = true

When i curl any endpoint with the appropriate header:

curl -H "X-JWT-Assertion: <myToken>" localhost:30004/api/user

The response is always:


fixed my curl command and now i get

bad request 

with the same log line in grafana as before.
and the only thing in the grafana log is:

logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-06-07T13:53:30.291107217Z level=info msg="Request Completed" method=GET path=/api/user status=401 remote_addr= time_ms=0 duration=394.858µs size=27 referer= traceID=00000000000000000000000000000000

Are there any other settings i could use to possibly debug what is going on?
Are there any parameters from other sections of the config that need to be enabled/disabled to get JWT Auth working?

Following up from my previous post, we discovered our JWT keys were invalid, and we fixed them. When i curl the grafana server (configured as before) it returns the following:

curl -H "X-JWT-Assertion: <mytoken>" localhost:30004/login
<a href="/">Found</a>.

but when adding the header to the redirect in our application, the grafana log says the token was not found, yet I can see the token in the dev console of the browser.