Keycloak Gateway - When forwarding Grafana gives 401 Invalid API Key

Config items

- GF_AUTH_BASIC_ENABLED=false
- GF_AUTH_ANONYMOUS_ENABLED=true
- GF_LOG_LEVEL=debug
- GF_SERVER_ROUTER_LOGGING=true
- GF_SERVER_DOMAIN=teslamate.lallier.tech

Grafana logs:

teslamate_grafana.1.gfjr1rwb0mvz@docker-node-1    | t=2020-03-08T16:04:30+0000 lvl=eror msg="Invalid API key" logger=context error="Invalid Api Key"
teslamate_grafana.1.gfjr1rwb0mvz@docker-node-1    | t=2020-03-08T16:04:30+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=401 remote_addr=192.168.1.1 time_ms=0 size=29 referer=
teslamate_grafana.1.gfjr1rwb0mvz@docker-node-1    | t=2020-03-08T16:04:30+0000 lvl=eror msg="Invalid API key" logger=context error="Invalid Api Key"
teslamate_grafana.1.gfjr1rwb0mvz@docker-node-1    | t=2020-03-08T16:04:30+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/favicon.ico status=401 remote_addr=192.168.1.1 time_ms=0 size=29 referer=https://teslamate.lallier.tech/

The Keycloak Gatekeeper is working as expect. I tested this by pointing it to a simple web server

The answer was you have to strip the Authorization header when forwarding from Keycloak Gateway

Out of curiosity: why do you use keycloak-gatekeeper, when Grafana offers OIDC SSO out of the box?

I don’t have a Authorization header in my request, but I get the same error. Is it related to Cookie?

I already had the Gatekeeper config setup for something else and given the unique circumstance I was in it worked. I was working on getting the Grafana built in OIDC SSO working but of course I hit small problems and haven’t looked back at finishing that.

Hmm, I’m not sure. I’d check any headers and see if possibly any of them are interfering with Grafana.