I have followed the below documentation and configured the JWT setting as follows.
Link: https://grafana.com/docs/grafana/latest/auth/jwt/
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
email_claim = unique_name
username_claim = nameid
org_claim = organization
name_claim = given_name
jwk_set_file = /var/lib/grafana/jwks.json
cache_ttl = 60m
expect_claims = {"iss": "https://<application.abc.com>/oauth2/token"}
auto_sign_up = true
I have a generated a new JWT token from our application and did the following GET call to authenticate the user. But I am getting “Invalid JWT” error message as response.
curl -H "X-JWT-Assertion: "JWT token" https://<grafana.abc.com>/api/user
I have validated and verified the signature of the JWT token in jwt.io portal with jwks.json public key. Signature is Verified.
Error Message in Grafana Logs:
t=2022-02-21T13:43:55+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-21T13:43:55+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr=49.205.10.66 time_ms=1 size=31 referer=
Expected Output:
With Valid JWT token we are able to authenticate using JWKS.json file and fetch details if user already exists in Grafana. Create a user if not existed in Grafana database.
You didn’t show what is decoded payload of used token.
Please find the below screenshot for the decoded payload data.
Your email_claim = unique_name is an array of strings, actually. I would say it should be a string, not an array.
I have tried this email_claim = nameid configuration, but still I am getting the same error “Invalid JWT”. Here nameid value is string.
"nameid": "javeed@mail.onblick.us"
So it is one error from many probably. I don’t know. Use standard approach - increase log level to debug, find condition which causing this particular error in the source code, search for similar errors in the GitHub/Community/Stackoverlow, …
Obvious problem is also organization claim, which is also array - that’s also unusual.
I have removed the organization claim field and updated log level to debug. But still we are getting the same error. “Invalid JWT”.
Updated configuration:
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
email_claim = nameid
username_claim = given_name
jwk_set_file = /var/lib/grafana/jwks.json
cache_ttl = 60m
expect_claims = {"iss": "https://<Applicationidentity-serverDomain>/oauth2/token"}
auto_sign_up = true
Log Message:
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Parsing JSON Web Token" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Trying to verify JSON Web Token using a key" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Validating JSON Web Token claims" logger=auth.jwt
t=2022-02-23T07:39:46+0000 lvl=dbug msg="Failed to find user using JWT claims" logger=context email_claim=javeed@mail.onblick.us username_claim=Javeed
t=2022-02-23T07:39:46+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-02-23T07:39:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/user status=401 remote_addr=61.1.129.178 time_ms=1 size=31 referer=
t=2022-02-23T07:39:52+0000 lvl=dbug msg="recording state cache metrics" logger=ngalert now=2022-02-23T07:39:52+0000
t=2022-02-23T07:39:52+0000 lvl=dbug msg="alert rules fetched" logger=ngalert count=0 disabled_orgs=[]
Why you can’t find that condition? Simple:
# go to folder with the grafana source code for your version
# grep -rin 'Invalid JWT' *
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
# grep -rin 'InvalidJWT' *
pkg/middleware/middleware_jwt_auth_test.go:166: assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:182: assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/middleware/middleware_jwt_auth_test.go:195: assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
pkg/services/contexthandler/auth_jwt.go:11:const InvalidJWT = "Invalid JWT"
pkg/services/contexthandler/auth_jwt.go:27: ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:37: ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:60: ctx.JsonApiErr(401, InvalidJWT, err)
pkg/services/contexthandler/auth_jwt.go:87: ctx.JsonApiErr(401, InvalidJWT, err)
So pkg/services/contexthandler/auth_jwt.go is a file, which you need to understand:
if err := bus.Dispatch(ctx.Req.Context(), &query); err != nil {
if errors.Is(err, models.ErrUserNotFound) {
ctx.Logger.Debug(
"Failed to find user using JWT claims",
"email_claim", query.Email,
"username_claim", query.Login,
)
err = login.ErrInvalidCredentials
ctx.JsonApiErr(401, UserNotFound, err)
} else {
ctx.Logger.Error("Failed to get signed in user", "error", err)
ctx.JsonApiErr(401, InvalidJWT, err)
}
return true
}
So ErrUserNotFound is a problem - go to DB and check if email_claim=javeed@mail.onblick.us username_claim=Javeed was created - please don’t ask me which table - try to find it on your own. When you shown your own activity and investigation, then people will more likely help you (me included).
@krishnak1 did you ever find out what the issue was here? I am facing the same issue.
I looked in the database as @jangaraj had asked and did not find any table with column email_claim or username_claim.
I ended up figuring out my particular issue - I had Grafana v 8.3.6 installed but this auto_sign_up feature was only available after Grafana v8.4.0 - so make sure you have the right version installed!
Hi, i am having a similar issue but I am using pem file verification and disabling the login form:
disable_login_form=true
enabled = true
header_name = X-JWT-Assertion
key_file = /var/private.pem
cache_ttl = 60m
expect_claims = {"iss": "test"}
auto_sign_up = true
When i curl any endpoint with the appropriate header:
curl -H "X-JWT-Assertion: <myToken>" localhost:30004/api/user
The response is always:
{"message":"Unauthorized"}
Update:
fixed my curl command and now i get
bad request
with the same log line in grafana as before.
and the only thing in the grafana log is:
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-06-07T13:53:30.291107217Z level=info msg="Request Completed" method=GET path=/api/user status=401 remote_addr=192.168.65.3 time_ms=0 duration=394.858µs size=27 referer= traceID=00000000000000000000000000000000
Questions:
Are there any other settings i could use to possibly debug what is going on?
Are there any parameters from other sections of the config that need to be enabled/disabled to get JWT Auth working?
Following up from my previous post, we discovered our JWT keys were invalid, and we fixed them. When i curl the grafana server (configured as before) it returns the following:
curl -H "X-JWT-Assertion: <mytoken>" localhost:30004/login
<a href="/">Found</a>.
but when adding the header to the redirect in our application, the grafana log says the token was not found, yet I can see the token in the dev console of the browser.
