Jwt errors encountered

Grafana Authentication
1

Hello Team,

We are Using Grafana Version 11.2.0 in our kubernetes containerized environment. We are trying to login Grafana application using JWT token from external app through http header with the header name of header_name: X-JWT-Assertion.

Getting error at the grafana validation side specifically on jwt signature validation. I have selected jwk_set_url as an option for signature verification. jwk_set_url=“https://dns_host_name.com/auth-server/jwks”.

JWT Authentication Failed - “Failed to authenticate request” error=“[jwt.invalid] failed to verify JWT: Get "https://https://dns_host_name.com/auth-server/jwks": tls: failed to verify certificate: x509: certificate signed by unknown authority”

Here is my current configuration…

auth.jwt:
enabled: true
tls_skip_verify_insecure: true
enable_login_token: true
header_name: X-JWT-Assertion
username_claim: sub
email_claim: sub
jwk_set_url: https://dns_host_name.com/auth-server/jwks
cache_ttl: 60m
auto_sign_up: true
skip_org_role_sync: true

Below are the error message from grafana container.

logger=authn.service t=2024-10-24T17:52:10.040244487Z level=info msg="Failed to authenticate request" client=auth.client.jwt error="[jwt.invalid] failed to verify JWT: Get \"https://https://dns_host_name.com/auth-server/jwks\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
logger=context userId=0 orgId=0 uname= t=2024-10-24T17:52:10.040801065Z level=info msg="Request Completed" method=GET path=/ status=302 remote_addr=10.244.0.0 time_ms=17 duration=17.588575ms size=37 referer=https://dns_host_name.com/auth-server/jwks/externalApp handler=/ status_source=server

Here is the documentation reference link used. - Configure JWT authentication | Grafana documentation

Please advise to resolve this below issue… Appreciate your support and feedback!. “Failed to authenticate request” client=auth.client.jwt error=“[jwt.invalid] failed to verify JWT: Get "https://https://dns_host_name.com/auth-server/jwks": tls: failed to verify certificate: x509: certificate signed by unknown authority”

2

Hey @Baskar , welcome to the forums.

It seems like you’re missing the CA from your authentication server. Could you please review if this answer from other topic on the same error helps you?

3

Hello @isaqueprofeta ,
Thank for your quick feedback. Let me try that option and update you asap…

1 Like
4

Hello @isaqueprofeta ,

Yes. Adding CA certs to grafana resolved my issue and i was able to login with out entering the credentails again.
But one question and i am still analyzing how to do it… With below configuration it actually replaces the existing /etc/ssl/certs/ca-certificates.crt file in the container with our own CA cert. Looks like by default, grafana comes up with many ca certs in /etc/ssl/certs/ca-certificates.crt file. Not sure if i can replace it or need to append with existing ca cert values. I am still checking how to add our CA cert to the exsting grafana
ca-certificates.crt file instead of replacing it.
Here is the grafana-values.yaml file for reference:

extraSecretMounts:

  • name: grafana-cacert-secret
    mountPath: /etc/ssl/certs/ca-certificates.crt
    secretName: ca-cert
    readOnly: false
    subPath: “ca-certificates.crt”
5

You can replace it only if you don’t need use those others (standard) CAs. That must be very closed system/network. Usually, you are connecting to other servers, which are protected by those CAs - e. g. Grafana is connecting to grafana.com - so you will need to append your CA in this case.