Login Provider denied login request

With the following configuration I used successfully the proxy to authenticate the user and based on their role forward it to Grafana, Until Yesterday that I upgrade the Keycloak from 8.0.x to 11.0.3.

What is the Problem?
After proxy redirect the user to keycloak auth page and user get successful login, it lands to Grafana this page.

Before:

Grafana Version: 7.0.3
louketo Proxy: latest
Keycloak: 8.0.x

After:

Grafana Version: 7.0.3
louketo Proxy: latest
Keycloak: 11.0.3

Environment: Kubernetes

PS: I put space and / on places where it was domain or link as a new user not allowed to put more than one link, so they are correct only for matter of posting here I did.

Logs from Grafana:

t=2020-11-17T09:23:42+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path= status=302 remote_addr=xxxx time_ms=0 size=37 referer=
t=2020-11-17T09:23:42+0000 lvl=info msg=“OAuth auto login enabled. Redirecting to /grafana/login/generic_oauth”
t=2020-11-17T09:23:42+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login status=307 remote_addr=10.233.115.0 time_ms=22 size=64 referer=
t=2020-11-17T09:23:42+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=10.233.115.0 time_ms=0 size=325 referer=
t=2020-11-17T09:23:43+0000 lvl=eror msg="failed to login " logger=oauth error=invalid_request errorDesc=“Invalid scopes: user:email”
t=2020-11-17T09:23:43+0000 lvl=eror msg=“Login provider denied login request” logger=context userId=0 orgId=0 uname= error=invalid_request errorDesc=“Invalid scopes: user:email”
t=2020-11-17T09:23:43+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=10.233.115.0 time_ms=22 size=37 referer=

Logs from Proxy:

2020-11-17T09:23:34.639Z error no session found in request, redirecting for authorization {“error”: “authentication session not found”}
2020-11-17T09:23:42.654Z info issuing access token for user {“email”: “testadmin@ mydomain /.com”, “expires”: “2020-11-17T09:28:42Z”, “duration”: “4m59.345095885s”}
2020-11-17T09:23:59.252Z error no session found in request, redirecting for authorization {“error”: “authentication session not found”}

Configurations:

grafana.ini:
paths:
data: /var/lib/grafana/data
logs: /var/log/grafana
plugins: /var/lib/grafana/plugins
auth:
disable_login_form: true
oauth_auto_login: true
signout_redirect_url: https:// mydomain/.com/auth/realms/myrealm/protocol/openid-connect/logout
server:
domain: “mydomain /.com”
root_url: https:// mydomain /.com/grafana
serve_from_sub_path: true
analytics:
check_for_updates: true
log:
mode: console
log.console:
level: debug
grafana_net:
url: https:// grafana/.net
auth.generic_oauth:
enabled: true
client_id: grafana
client_secret: xxxxxxxxxxxxxxxxxxxxxx
auth_url: https:// mydomain/.com/auth/realms/myrealm/protocol/openid-connect/auth
token_url: https:/ / mydomain/.com/auth/realms/myrealm/protocol/openid-connect/token
api_url: /https:// mydomain/.com/auth/realms/myrealm/protocol/openid-connect/userinfo
allow_sign_up: true
role_attribute_path: contains(roles[], ‘admin’) && ‘Admin’ || contains(roles[], ‘editor’) && ‘Editor’ || ‘Viewer’
scope: openid email profile roles

My Proxy-service config a grafana sidecar

extraContainers: |
- name: grafana-ingress-proxy
image: “/quay.io/louketo/louketo-proxy”
args:
- --discovery-url=https://mydomain/auth/realms/myrealm/.well-known/openid-configuration
- --client-id=grafana
- --client-secret=xxxxxxxxxxxxxxxxxxxxx
- --listen=0.0.0.0:3001
- --redirection-url=https://mydomain.com
- --upstream-url=http://127.0.0.1:3000
- --base-uri=/grafana
- --enable-authorization-header=false
- --enable-refresh-tokens=true
- --encryption-key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- --secure-cookie=false
- --resources=uri=/*|roles=grafana:admin,grafana:editor,grafana:viewer|require-any-role=true
- --skip-upstream-tls-verify
- --skip-openid-provider-tls-verify=true
- --enable-token-header=true
ports:
- name: http
containerPort: 3001
protocol: TCP

Update:
I took the proxy completely out and tried to use oauth from Grafana login page, get the same error as before. for me looks something is not compatible between keycloak 11.0.3 and Grafana 7.

@jangaraj2 @jangaraj can you please have a look on this :wink:

You have root cause in the logs: Incorrect scopes: user:email.

Before Keycloak was ignoring this type of error silently, but now it is more strict. You can request only scopes, which are assigned to the client.

@jangaraj tnx, but client grafana has email as assigned scope, do I need to assigned some how different?

‘user:email’ (what you are requesting in Grafana config) != ‘email’ (what has oidc client configured in the keycloak)

I didn’t get it, can you please elaborate it abit ? then how should make keycloak to give what grafana asks, I didn’t find any docs on new versions of keycloak or Grafana to deal it it.

Visual interpretation of my previous statement:

I came across the same problem while setting up grafana OAUTH with keycloak.
I think you just need to fix your configuration slightly, I fixed it by setting scopes to the default used by keycloak:

[auth.generic_oauth]
...
scopes = email profile
...

It seems you might have a typo at the end of your config:
scope should be plural scopes