OAuth2/OpenID Sign Out (Grafana + Keycloak)


I’m trying to set up OAuth2/OpenID authorization using Keycloak as Authorization Server (using generic oauth config).
Sign In works wonderful but when I try to Sign Out there is an issue:

  1. Say, I’ve already logged in as a Keycloak user.
  2. I press “Sign out” button and get redirected to grafana/login page.
  3. Then I press “Login with OAuth” but get signed in instantly without entering my credentials.

When I look into Keycloak users active sessions, I see that session is still alive and the cookie is not removed from the browser either. This way a user is able to sign in without entering his/her credentials, though they’ve pressed “Sign Out”.

I am wondering, is there a way on sign out to remove users session from Authorization Server or at least to clear the session cookie? I did not find in Grafana configs any way to specify “sign out URL” or something.


No. There’s an open feature request issue for this.


OK, thank you.
Do you know by any chance, if there is any other way to do a sign out properly with Keycloak and the current version of Grafana?

Happy birthday, by the way :sunny:

Nope, sorry I don’t know any other way.

Thank you :slight_smile:

Try to use a theoretical workaround: short-lived access tokens issued by Keycloak (for example 1 minute) + refresh token.

Now fixed and included in Grafana v5.2.0.


I tried 5.2.0 and 5.2.1 using docker image. Still same old behavior of not asking credentials.

Have you configured the signout_redirect_url?

Awesome.Thanks. That part working if i put logout url of openid provider.
Do we have another option to configure post logout re-direct to grafana login screen ?(As of now it just stays there since openid provider does not self re-direct)

Let me know in case i am missing something here.
Openid provider -> Keycloak

Nothing Grafana can do about that (I think). Please see comment for alternative solution. On a second thought he is appending ?redirect_uri=https\%3A\%2F\%2Fgrafana_host\%2Flogin which you should be able to do as long as your oauth provider supports that.


Superb. Its working flawlessly now. Thanks a lot for assist.

I am trying to get the combination of Keycloak and Grafana to work but have not had a huge success so far. Do you mind sharing some information about your setup/configuration?