Problem sso keycloak and cookie samesite

calaciurathomas · November 25, 2020, 10:43am

Hello,
there is a grafana and keyclaok (latest version) with an application under docker, the application and grafana are configured for an sso connection with keycloak and works!
The problem occurs when we want to access grafana in the application via an iframe

Configuration
#################################### Generic OAuth ##########################
[auth.generic_oauth]
enabled = true
name = keycloak
allow_sign_up = true
client_id = grafana
client_secret = […]
scopes = openid profile email roles
email_attribute_name = email
email_attribute_path = email
auth_url = http://[…]/auth/realms/poc/protocol/openid-connect/auth
token_url = http://[…]/auth/realms/poc/protocol/openid-connect/token
api_url = http://[…]/auth/realms/poc/protocol/openid-connect/userinfo
tls_skip_verify_insecure = true
cookie_samesite = lax
allow_embedding = true

I manage to work around the problem, by disabling the samesite cookies on chrome: // flags / but this is not a viable solution

in addition if the samesite cookie value is lax in grafana.ini, on firefox I get this error:

Does someone have an idea ?

jangaraj · November 25, 2020, 12:10pm

Cookie samesite config must be none, when you want to use it in the iframe.

calaciurathomas · November 25, 2020, 2:31pm

thank you for your reply,

by changing the value of the samesite to none, I get the following result:

Chrome access - ko

image1253×313 18.9 KB

image1893×269 17.3 KB

is it possible to add the Secure attribute to the cookie?

calaciurathomas · November 25, 2020, 2:32pm

Chrome access iframe - ko

with an error on keycloak “invalid_code”
mozilla firefox and iframe ok
there is however a warning in the console

The “sf_redirect” cookie will be released soon because its “SameSite” attribute is set to “None” or an invalid value and it does not have the “secure” attribute

Chrome flag
trying again with samesite disabled everything works fine on chrome

image871×132 11.6 KB

jangaraj · November 25, 2020, 8:34pm

Of course there is option to set secure flag, see security section

github.com

grafana/grafana/blob/master/conf/defaults.ini

##################### Grafana Configuration Defaults #####################
#
# Do not modify this file in grafana installs
#

# possible values : production, development
app_mode = production

# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
instance_name = ${HOSTNAME}

#################################### Paths ###############################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
data = data

# Temporary files in `data` directory older than given duration will be removed
temp_data_lifetime = 24h

# Directory where grafana can store logs

This file has been truncated. show original

It is mentioned in the doc, which will be good starting point for Grafana administration https://grafana.com/docs/grafana/latest/administration/configuration/#cookie_secure

Topic		Replies	Views
SSO Grafana & Keycloak problem redirect Grafana	5	2675	April 15, 2022
Generic OAuth redirect URL problem Grafana	1	5159	September 15, 2020
Error in setup Grafana + Keycloak Configuration backend-platform , auth , oauth	0	1118	September 24, 2021
Issues with Keycloak integration Grafana	1	1090	October 15, 2022
Grafana error login.OAuthLogin(get info from generic_oauth) Grafana auth , keycloak	7	375	June 17, 2024

Problem sso keycloak and cookie samesite

Related topics