Message: "Invalid API key" / status=401 error for Grafana 6.7.0 with Keycloak-GateKeeper authentication

1

Error in Keycloak-Gatekeeper -

1.5876410010539212e+09 debug keycloak-gatekeeper/middleware.go:337 access permitted to resource {“access”: “permitted”, “email”: “admin@abc.com”, “expires”: 34463.946079309, “resource”: “/*”}
1.5876410010572546e+09 info keycloak-gatekeeper/middleware.go:90 client request {“latency”: 0.003677092, “status”: 401, “bytes”: 29, “client_ip”: “10.35.17.58:28430”, “method”: “GET”, “path”: “/grafana”}
1.5876410037203312e+09 error keycloak-gatekeeper/middleware.go:108 no session found in request, redirecting for authorization {“error”: “authentication session not found”}

Grafana Error -
t=2020-04-23T11:04:10+0000 lvl=eror msg=“Invalid API key” logger=context error=“Invalid Api Key”

t=2020-04-23T11:04:10+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path= status=401 remote_addr=10.220.61.28 time_ms=0 size=29 referer=

===========
it works if we put below variable in Keycloak-Gatekeeper ConfigMap , but it disables some API functionality in product…please suggest any other alternative?

enable-authorization-header: false

2

Please provide minimal, reproducible example. How can you expect any advice, when you don’t provide gatekeeper, grafana config?

3

I’m facing with the same issue when applying keycloak gatekeeper with grafana

It sounds this issue is connected to grafana build https://github.com/grafana/grafana/issues/1728

4

If user doesn’t provide any gatekeeper/grafana configuration, then it is hard to say what is a problem. Right question will get right answer - https://github.com/louketo/louketo-proxy/issues/404

BTW: keycloak-gatekeeper is louketo-proxy now

5

I am seeing the same problem. I do have --enable-authorization-header=false but it looks like the gatekeeper quay.io/louketo/louketo-proxy:1.0.0 is still passing the authorization header to grafana because I see Invalid API key in the grafana logs. Grafana has been configured to run in auth proxy mode. Things work fine when I login from the browser. But trying do a curl to the grafana API fails.

curl -XGET https://grafana.mydomain.com/api/users -H 'Content-Type: application/json' -H "Authorization: Bearer $MY_TKN";
{"message":"Invalid API key"}.

grafana configuration:

  auth.proxy:
    enabled: true
    header_name: X-Auth-Username
    header_property: username
    auto_sign_up: true
    ldap_sync_ttl: 10

The setup itself is fine because it works as expected when I hit the grafana endpoint from a browser. The issue is seen only on curl access where we pass the keycloak token on the command line.