Message: "Invalid API key" / status=401 error for Grafana 6.7.0 with Keycloak-GateKeeper authentication

Error in Keycloak-Gatekeeper -

1.5876410010539212e+09 debug keycloak-gatekeeper/middleware.go:337 access permitted to resource {“access”: “permitted”, “email”: “admin@abc.com”, “expires”: 34463.946079309, “resource”: “/*”}
1.5876410010572546e+09 info keycloak-gatekeeper/middleware.go:90 client request {“latency”: 0.003677092, “status”: 401, “bytes”: 29, “client_ip”: “10.35.17.58:28430”, “method”: “GET”, “path”: “/grafana”}
1.5876410037203312e+09 error keycloak-gatekeeper/middleware.go:108 no session found in request, redirecting for authorization {“error”: “authentication session not found”}

Grafana Error -
t=2020-04-23T11:04:10+0000 lvl=eror msg=“Invalid API key” logger=context error=“Invalid Api Key”

t=2020-04-23T11:04:10+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path= status=401 remote_addr=10.220.61.28 time_ms=0 size=29 referer=

===========
it works if we put below variable in Keycloak-Gatekeeper ConfigMap , but it disables some API functionality in product…please suggest any other alternative?

enable-authorization-header: false

Please provide minimal, reproducible example. How can you expect any advice, when you don’t provide gatekeeper, grafana config?

I’m facing with the same issue when applying keycloak gatekeeper with grafana

It sounds this issue is connected to grafana build https://github.com/grafana/grafana/issues/1728

If user doesn’t provide any gatekeeper/grafana configuration, then it is hard to say what is a problem. Right question will get right answer - https://github.com/louketo/louketo-proxy/issues/404

BTW: keycloak-gatekeeper is louketo-proxy now

I am seeing the same problem. I do have --enable-authorization-header=false but it looks like the gatekeeper quay.io/louketo/louketo-proxy:1.0.0 is still passing the authorization header to grafana because I see Invalid API key in the grafana logs. Grafana has been configured to run in auth proxy mode. Things work fine when I login from the browser. But trying do a curl to the grafana API fails.

curl -XGET https://grafana.mydomain.com/api/users -H 'Content-Type: application/json' -H "Authorization: Bearer $MY_TKN";
{"message":"Invalid API key"}.

grafana configuration:

  auth.proxy:
    enabled: true
    header_name: X-Auth-Username
    header_property: username
    auto_sign_up: true
    ldap_sync_ttl: 10

The setup itself is fine because it works as expected when I hit the grafana endpoint from a browser. The issue is seen only on curl access where we pass the keycloak token on the command line.